Lunev’s book stated that GRU agents had, in fact, already planted suitcase-sized nuclear weapons on American soil, ready to be set off in the event of war. More speculatively, he argued that Russian military agents were also prepared to poison the water supplies of American cities with chemical and biological weapons. “One likely target would be the Potomac River, targeting the residents of Washington, DC,” he wrote. “Small amounts of the weapons would cause minor epidemics. Large amounts could have unimaginable deadly impact.”
After congressional hearings on that suitcase scare, Lunev’s nuke claims would be partially discredited when the FBI told Congressman Curt Weldon in 2001 that Lunev had exaggerated the threat. But other Soviet defectors confirmed that the U.S.S.R. had indeed manufactured small, tactical nuclear weapons roughly in line with Lunev’s descriptions and that Russia had continued to plan for the release of biological weapons in the United States in the event of a full-scale war.
Lunev’s broader claims of wide-scale sabotage preparations, like many of Rezun’s, may never be confirmed or proven false; the GRU was, after all, designed from its earliest inception to elude that sort of certainty about its practices. But in Lunev’s book, he does provide a passage that seems to offer one of the clearest possible views inside the minds of the GRU saboteurs who would carry out similar attacks on every level of their enemies’ civilian society, via the internet, two decades later. “It should not be shocking that Spetznatz would infiltrate America,” he wrote.
It is simply good military practice. War is war. It sounds simple, but many Americans seem to believe that there should be a gentlemen’s code, that war should be fought by soldiers in remote battlefields. Americans believe that war should be sterile, because it has never hit their home soil since the Civil War of 130 years ago, and even then, only in the south-eastern part of the country. Russia has been rampaged for centuries by every would-be world conqueror. Millions of Russians have died on their homeland during wars. This is a feeling Americans do not know. The only way you get an enemy to submit is by bringing the war to its people.
* * *
■
There exists no Rezun or Lunev for today’s GRU. The last high-ranking GRU defector known to the public is Sergei Skripal, a former paratrooper who reached the rank of colonel before secretly beginning to work for Britain’s MI6 in 1996. He met with his U.K. handlers secretly in Italy, Malta, Portugal, and Turkey and at one point wrote notes in invisible ink in the margins of a novel his wife passed to agents in Spain. Skripal knew few operational details but would outline the GRU’s structure for British intelligence and name hundreds of GRU agents. By most accounts, he remained a Russian patriot; he simply betrayed his colleagues for the money.
In 2004, Skripal was arrested by the FSB, the successor to the KGB focused on domestic affairs. He spent six years in prison before being released as part of an international spy swap. Reporting by the BBC would later suggest that he quietly continued to act as a source to Western intelligence agencies for years to come.
Then, in early March 2018, Skripal and his thirty-three-year-old daughter, Yulia, were found on a bench in Salisbury, the town eighty miles southwest of London where he had moved since his defection. The father and daughter were both semiconscious, convulsing, frothing at the mouth, and struggling to breathe.
In the months that followed, a pair of GRU agents were revealed to have traveled to Salisbury and poisoned the Skripals with a deadly nerve agent known as Novichok, designed to cause paralysis and suffocation. The highly potent poison had been sprayed on the front door of Skripal’s house, and traces of the toxin also appeared at two restaurants he and his daughter had visited.
Both Yulia and Sergei Skripal were admitted to a nearby hospital and spent months in recovery, narrowly escaping death.* But the message had been sent, to Skripal and to any other would-be memoirist of Russia’s modern military intelligence agency: This is what happens to those who spill secrets.
When the Skripal poisoning hit the news, I was in the last stages of reading a small mountain of biographies and autobiographies of past GRU defectors, working my way through the agency’s history toward its present. But Skripal’s case made it clear: If I was going to learn more about the same institution today, it wouldn’t be by reading tell-all books. It would be by piecing together hints and glimpses of the truth, to find my own path in the dark.
* Tragically, two British citizens were hospitalized months later with the same symptoms as the Skripals, seemingly after picking up a bottle of the Novichok nerve agent discarded by Skripal’s would-be assassins. One of them, forty-four-year-old Dawn Sturgess, died nine days later.
32
INFORMATSIONNOYE PROTIVOBORSTVO
For all its defectors’ menacing talk of sabotaging infrastructure far behind enemy lines, tactical nukes, and chemical weapons, the GRU seems to have arrived late to the notion that the internet might be the vehicle for a new breed of unconventional weaponry. In my conversations with the rare sources I could find who had actually spoken to recent Russian intelligence insiders, no one could point to much evidence that the GRU had been involved in Russia’s earliest, primitive experiments in cyberwar or even basic cyberespionage, from Moonlight Maze to the blitz of the Estonian web.
It was, after all, the KGB, not the GRU, who had hired the West German freelance hackers who invented state-sponsored hacking in the 1980s, as told in Cliff Stoll’s Cuckoo’s Egg. Andrei Soldatov, one of the few Russian journalists and authors who has spent years investigating Russian intelligence agencies, told me that in the 1990s era of Russian cyberspying, Kremlin hacking and cybersecurity were dominated by an agency called FAPSI—the Federal Agency of Government Communications and Information—that acted as Russia’s equivalent of the NSA.
In 2003, FAPSI was cannibalized by its intelligence siblings, with most of its key roles falling to the FSB, one of several agencies created from the remains of the KGB. The result, as Soldatov described it, was that the FSB took over most of the Kremlin’s state-sponsored hacking for the rest of that decade. “When FAPSI merged with the FSB, they were put in charge,” he told me when I interviewed him in a hotel bar before his talk at PutinCon, a New York conference devoted to hosting the Russian president’s most outspoken critics. “On all levels, they defined the rules.” That hierarchy meant that the GRU had taken a backseat to the FSB throughout Russia’s inchoate cyberwars in Estonia and Georgia, relegated to traditional intelligence in direct support of the military rather than the exciting new realm of digital offensive operations.*1
But the 2008 war in Georgia was a turning point for the GRU: It was, in the eyes of the Kremlin, considered evidence of the agency’s unforgivable incompetence. While Russia had dominated the Georgian conflict, and the GRU’s spetsnaz forces had by all accounts performed well in it, the agency’s faulty intelligence had also led to embarrassments like bombing already-abandoned Georgian airstrips. The GRU’s spies had missed that the Georgians possessed anti-aircraft missiles that threatened Russian air force operations. Attempts to intercept Georgian communications had failed. Moscow came to see the GRU as too obsessed with its spetsnaz-style run-and-gun raids and not focused enough on subtler espionage and influence operations.
The result, in the vicious environment of Russian interagency backstabbing, was that the GRU was stripped of its responsibilities and humiliated. Russia’s then president, Dmitry Medvedev, handed many of its intelligence duties to the FSB and the foreign intelligence service known as the SVR. A thousand GRU officers were cut or reassigned, along with almost the entire spetsnaz, who were moved to another branch of military control.
The Kremlin considered a bureaucratic demotion that would have altogether deprived the agency of direct contact with President Medvedev and the source of all real power, Putin. (The GRU was even threatened with removal of its G, making it simply an intelligence directorate rather than the “main” one. I
nstead, it would strangely be renamed the Main Directorate, or GU, though most in the West continue to call it by its better-known three-letter name.) Even the emblem for the agency, a menacing black bat with its wings looming over a globe, was replaced with a far less fearsome image of a flower. “This, to me, was also meant to be a kind of insult,” Soldatov said.
But the GRU, unlike the FAPSI before it, wasn’t destroyed. Instead, it was in the resulting period of reform and mutation that the contemporary GRU was born.
Much of the interagency conflict that shaped that resurrection remains entirely hidden from outside observers. “It’s like watching bulldogs fighting under a rug,” said Keir Giles, a Russia-watcher for the British think tank Chatham House and a former consultant at the U.K. Defence Academy. “You just wait and see which one comes out on top.”
The GRU’s makeover benefited from two personnel changes over the next years: First came the firing of the agency’s director, Valentin Korabelnikov, who had “seemed more comfortable accompanying Spetsnaz assassination teams in Chechnya than playing palace politics in Moscow,” as Mark Galeotti wrote in Foreign Policy. Korabelnikov was eventually replaced in 2011 by Igor Sergun, who had both a closer relationship to Putin and far more talent at navigating the Kremlin’s treacherous maze. Then came a new minister of defense in 2012, Sergey Shoygu, who supported the GRU’s reemerging role as the tip of the spear of the Russian armed forces.
Beneath its cover of secrecy, meanwhile, the GRU began the process of reinventing itself as the most aggressive hacking agency in the Russian government—or perhaps the world. “They were in the doldrums, trying not to be demoted,” said Galeotti, who has spent thirty years talking to Russian intelligence insiders, initially as a staffer at the U.K. Foreign Office, and has written more in the public record about the modern GRU than perhaps any other analyst. “From 2008 to 2014, the GRU was trying to re-demonstrate its role and value to the Kremlin. One way was getting more serious about cyber.”
As it sought to reshape itself, according to Galeotti, the recent Georgian cyberwar gave the agency a rough model. “That’s when the GRU said ‘aha,’ ” Galeotti said. “Something as simple as knocking down and defacing websites can make a difference in war.” (In 2010, Stuxnet would demonstrate a vastly more powerful model of cyberwarfare, but one that seemed to remain beyond the GRU’s technological capabilities for years to come.)
No one I asked could tell me the internal details of the GRU’s metamorphosis. But the timing of those changes struck me as more than a coincidence: The years aligned roughly with the timeline of the Sandworm attacks that John Hultquist’s team at iSight Partners had discovered, from the hackers’ first known breaches in 2009 to its emergence as a uniquely dangerous, critical-infrastructure-focused operation in 2014.
By the time Russia invaded Ukraine that same year, the GRU’s revival was evident. The takeover of Crimea had been based on a plan derived largely from GRU intelligence. It was the GRU that led the invasion of “little green men” that armed and incited pro-Russian separatists in eastern Ukraine.*2 And unbeknownst to the world, the agency was already secretly laying the groundwork for a kind of cyberwar the internet had never before seen.
The new incarnation of Russia’s hundred-year-old military intelligence agency had “shown the rest of the world how Russia expects to fight its future wars: with a mix of stealth, deniability, subversion, and surgical violence,” Galeotti wrote in July of that year. “The GRU is back in the global spook game and with a new playbook that will be a challenge for the West for years to come.”
* * *
■
None of this history, though, answered my underlying question: What was Sandworm thinking? What motivates cyberwar without limits, without discrimination between soldier and civilian?
One more recent document seemed to offer a keyhole view into the thinking of the Russian military and its understanding of that distinction. In 2013, the Russian-language journal Voenno-Promyshlennyi Kur’er, or Military-Industrial Courier, had published a two-thousand-word article with an absurdly dry title: “The Value of Science in Prediction.” It was based on a speech given by the chief of the General Staff of the Russian military, General Valery Gerasimov. The article was little noticed in the West, but Mark Galeotti published a translation in his blog a year later.
“In the 21st century we have seen a tendency toward blurring the lines between the states of war and peace,” the article began. “Wars are no longer declared and, having begun, proceed according to an unfamiliar template.”
New information technologies have enabled significant reductions in the spatial, temporal, and informational gaps between forces and control organs. Frontal engagements of large formations of forces at the strategic and operational level are gradually becoming a thing of the past. Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals. The defeat of the enemy’s objectives is conducted throughout the entire depth of his territory.
A graphic published with the article succinctly listed the “new forms and methods” of war as bullet points. They included:
“Reduction of the military-economic potential of the state by the destruction of critically important facilities of its military and civilian infrastructure in a short time.”
“Warfare simultaneously in all physical environments and the information space.”
“The use of asymmetric and indirect operations.”
As the prime example of this new form of war, Gerasimov had pointed to the Arab Spring revolutions across North Africa, arguing they showed how external political factors could weaken or destroy a regime. That part of his analysis reflected the dubious conspiracy theory—no doubt commonly held within the Kremlin—that the uprisings in Tunisia, Egypt, and Libya had all somehow been secretly fomented by Western governments.
But as Galeotti wrote in his commentary on the Gerasimov article, the Arab Spring comparisons seemed to be only a pretense to talk about how Russia itself could weaken or destroy its own enemies. And the way to do that, Gerasimov argued, was with nontraditional, asymmetric, covert attacks on the pillars of their social stability, often by means of what he called informatsionnoye protivoborstvo, or “informational confrontation.”
When Galeotti published his take on Gerasimov’s speech in July 2014, titling his post “The ‘Gerasimov Doctrine’ and Russian Non-linear War,” he saw in the speech a prescient explanation of the strategy Russia had already used in the earliest months of its Ukrainian invasion. Even before any signs of a cyberwar had come to light, Russia was secreting troops across the border out of uniform, flooding the Ukrainian media with disinformation, and exploiting internal instabilities.
But when the GRU’s meddling in the U.S. presidential election emerged two years later, it suddenly seemed to suggest an even more far-reaching and insidious example of the ideas Gerasimov described, now put into practice. As the frenzy around Russia’s election-related hacking grew in late 2016 and 2017, the Gerasimov Doctrine began to be referred to in mainstream Western media as the key to understanding all Russian warfare. The notion was repeated widely enough that Galeotti himself felt the need to step back from it, pointing out that Gerasimov had hardly been the first to suggest waging hybrid wars that extended past the traditional military front—the Georgian war offered a clear example five years earlier—and that his “Gerasimov Doctrine” wasn’t even a formal or comprehensive doctrine so much as a momentary peek into the evolution of Russian military thinking.
But in early 2018, after Sandworm had been connected directly to the Russian military, I couldn’t help but see how Gerasimov’s ideas explained Sandworm’s actions, too. The “informational confrontation” Gerasimov suggested wasn’t necessarily limited to disinformation or propaganda. In fact, both Galeotti and Giles emphasized to me that there is no distinction in common R
ussian vocabulary between “information war” and a concept of “cyberwar” that suggests disruptive or physical consequences of hacking. Both fall under the same term, informatsionnaya voyna. “Whether it’s to change someone’s mind or achieve a physical effect, it’s the same thing,” Giles said.
The “long-distance, contactless actions” against enemy targets “throughout the entire depth of his territory” that Gerasimov described matched Sandworm’s modus operandi perfectly, from blackouts to NotPetya. Sandworm was not some aberrant or rogue element in the Russian armed forces. It was a direct expression of the strategy of its most senior leaders.
* * *
■
If the vague outline of the GRU and Russian military thinking was tough to discern at the official level, it was far harder still to get inside the mind of its rank and file. When I asked Galeotti and Soldatov about the psychological profile of the average GRU hacker, they both started with a simple answer: They’re following orders.
The FSB, as Galeotti explained, had notoriously mixed its staff’s hackers with recruited cybercriminals, often forcing them to cooperate to avoid prison. When the GRU began building its own hacking operations in 2008, Galeotti says it instead went through the far slower but more reliable process of recruiting its hackers at the age of eighteen or nineteen and then training them, as it would any soldier.
Sandworm Page 25