Booz Allen analyzed more than 200 Russian hacking operations to better understand his tactics

Booz Allen analyzed more than 200 Russian hacking operations to better understand his tactics

Booz Allen Hamilton, the largest private contractor in the U.S. intelligence community, released a full report this week detailing 15 years (2004 to 2019) of cyber operations by Russia’s military hackers.

The report is a rarity in the cybersecurity community because it focuses on the larger picture of how the Russian military uses its piracy units to support its foreign policy around the world.

This is in contrast to most other infosec industry reports that usually focus their research on isolated events, avoiding any political analysis and rarely blaming attacks on foreign governments.

Instead, the Booz Allen report gathers all the previous reports about previous Russian hacks and puts them in a broader political context, to understand why they happened, rather than how, what malware was used and who pushed which button. and when.


More specifically, the Booz Allen report focuses on cyber operations performed by the intelligence service attached to Russia’s military.

Known as the Directorate General of the General Staff of the Armed Forces, this intelligence agency is widely known in Russia and abroad for its former acronym, GRU, derived from its historical name, Glávnoye Razvedyvatel’noje Upravléniye (Dir. of Main Intelligence, or GRU). The agency’s current name is Glávnoye Upravléniye, or GU, but this term is rarely used, and the service is still widely called GRU.

In context, GRU is different from the Russian government’s internal intelligence service, known as the FSB, a successor to the famous KGB. Unlike the FSB, GRU only supports Russia’s military operations and the Kremlin’s foreign policy.

For the last 15 years, the GRU has been involved with two very different groups of piracy. The first is APT28 (also called Fancy Bear) and the second is Sandworm.

Each hacking group is believed to be a different military unit within Russia’s intelligence service, specifically responsible for conducting cyber operations of varying degrees of sophistication, with Sandworm being GRU’s elite division.

GRU attacks can be predicted with Russia’s military doctrine

According to Booz Allen, the cyber operations performed by both groups cannot be viewed in isolation. They are performed almost exclusively in the broader political context.

The GRU is a military management operation, all actions follow a set of patterns. Booz Allen says he analyzed more than 200 unique cyber incidents publicly attributed to the GRU and found that pattern.

According to the American intelligence contractor, this pattern fits well with the principles outlined in a Russian government document called “The Military Doctrine of the Russian Federation,” which the Russian Army regularly publishes.

The latest version of this document was published in 2014 and lists 23 security risks for the Russian Federation to which the Russian army must respond in one way or another.

Image: Booz Allen Hamilton

In an 80-page hard report, Booz Allen analysts ranked and sorted all past GRU cyberattacks from over 200 categories into one of these 23 categories, showing how each cyberattack was Russia’s natural defense mechanism for responding to change. politician around him. .

The bottom line of this report is that GRU offensive cyber operations can be predicted.

Businesses or governments meeting agendas with the Russian government in a manner that the Kremlin could interpret as one of the 23 risks listed in its military response doctrine, should anticipate an attack by the famous hackers from Russia.

“Defending yourself from cyber operations, such as those at GRU, requires understanding not only how these operations take place, but more importantly, why,” said Booz Allen’s analysts this week. “Understanding why opponents act, proponents can better anticipate when, where, and in what ways these actions may take and take deliberate action to mitigate their risk based on that knowledge.”

We will not list all the more than 200 GRU cyberattacks from the Booz Allen report in this article, as we will end up with an equal piece of length.

However, here are some international incidents where Russia responded by unleashing its GRU hacking units. We then correlate how a particular cyberattack could be correlated with one or more of the 23 principles described in its military doctrine.

We will focus on lesser known incidents and not cover the most important incidents.


Russia intervened in Montenegro’s affairs after the country wanted to join NATO. According to its military doctrine, Russia views NATO’s expansion as # 1 on its list of security risks.

GRU operations were crucial in the Kremlin’s efforts to elect a pro-Russian government and prevent the country from joining NATO.

  • Three days before the election, GRU operators conducted DDoS attacks to disrupt the media, the country’s largest telecommunications network, an election monitoring NGO and government sites in order to disrupt nearby elections and sowing. confusion
  • Booz Allen notes that GRU operations also received help from non-military forces, with Russia joining funding from opposition political groups and also “seeking coordination with politicians, clergy, NGOs and the media.”
  • The GRU operation to prevent Montenegro from choosing a favorable Western politician also included a ground component. Montenegro law enforcement forces then detained GRU agents and agents who were allegedly planning to attack parliament, assassinate the Prime Minister, and cause civilian unrest with false flag attacks on civilians.
  • After Montenegro joined NATO, GRU operations returned to their hacking units, which continued in line with fishery hunting campaigns.


GRU supported Russia’s warlike efforts in Syria as the Kremlin sought to preserve a Putin’s friend leader in power. This effort is in line with Russia’s military doctrine of maintaining a stable political climate around it and preventing foreign powers from destabilizing its allies and neighbors (# 2 in its list of military doctrines).

  • To Booz Allen, “the GRU responded likely to these circumstances (US military intervention in Syria) by using an ISIL hacktivist identity to harass and intimidate US military and law communities since December 2014 through February 2015 “.
  • GRU operators defaced media websites in the United States to give the impression that ISIL controls considerable cyber resources.
  • GRU operators leaked personal data to members of the US Service Some of the data was leaked through hacked social media accounts for the US Central Military Command (CENTCOM).
  • GRU operators hacked the Maryland television network’s text message alert system to send threatening messages to subscribers. Along with Russia’s military efforts in Syria, GRU’s online efforts appear to be successful, as U.S. public support for a war in Syria declined and the United States withdrew.


GRU cyber-espionage operations played a key role in the Russian government’s response to the creation of a significant NATO base in Poland. This is in line with Russia’s mandatory response to NATO’s growing presence in the region (No. 1 in its military doctrine), but also to the danger that foreign powers deploy troops near the border. Russia (number 3 of its military doctrine).

  • As of summer 2014, GRU has been heavily involved in “monitoring the Polish government and defense sectors”.
  • This was done through “watering hole” attacks. GRU-related hackers compromised websites belonging to a Polish government public records website and a Polish defense company where they used automated management to install a backdoor on visitor systems.
  • For Booz Allen, using a watering hole, as opposed to more targeted underwater fishing, suggests desperation for maximum visibility around many Polish items (i.e., policy makers, suppliers).
  • When Russia proposed in 2018 to create a base similar to Belarus to counter NATO’s Poland base, Belarus declined. In the same month, the GRU hackers began leading the Belarussian government with fishery hunting operations.


GRU hackers started targeting Romania after the country increased its military spending and military operations. As in the case of Poland, Russia responded that a foreign country would increase its military presence in an area of ​​interest – the Black Sea, in this case (also number 3 in its military doctrine).

  • In the same month, when Romania proposed the creation of a joint military unit with Moldova, GRU operators launched fishing-fishing attacks on Russia’s embassy in Russia to closely monitor developments.
  • After Russia annexed Crimea in 2014, Romania ordered three submarines and four surface ships to modernize the presence of its navy in the Black Sea. One month later, various phishing campaigns targeted Romanian entities, with samples of GRU-related malware often uploaded to Romania’s VirusTotal virus search portal.


GRU hacking operations targeted Denmark for years after the country announced that it had joined the NATO anti-missile defense system.

In that case, Russia responded to the United States by undermining its military deterrent capabilities by deploying a near-border missile system (No. 4 in its military doctrine).

  • On March 15, Russia’s ambassador to Denmark warned in a newspaper that Denmark was joining the “US-controlled missile defense (d) Danish warships … Russian nuclear missile targets “.
  • Ten days later, GRU launches a two-year effort to hack email accounts for employees of the Danish Ministry of Foreign Affairs and Defense.


Russia has deployed its military hackers against the United Kingdom after the country considered deploying troops to Syria, a clear opening which put it at odds with Russia (Nos. 2 and 8 of its military doctrine).

  • GRU hackers set preventive beach caps on a British television station the same month as the UK government planned to send troops to Syria in July 2015.
  • The TV channel was called the Islam Channel, and it was believed that GRU would use it to target the Islamic community in the United Kingdom.
  • Similar attacks were also seen on television stations in France and the United States, partners in the United Kingdom, all in the guise of an ISIL-aligned hacktivist group called CyberCaliphate.


Russia deployed APT28 to meditate on the 2016 U.S. presidential election after the United States broke the security risk # 14 of its military doctrine – state-sponsored subversive activities aimed at Russia – when the U.S. The United States has launched a state-sponsored foreign influence campaign to support President Putin’s rival. during the 2012 Russian presidential election.

What followed was the DNC, APT28 hack posed as a Guccifer 2.0 hacktivist, DCLeaks, and an army of online trolls and fake news site networks aimed at the American public.

International sports organizations

Russia also deployed its GRU hackers to discredit international sports organizations around the world after a number of sports events were banned by Russian athletes.

At that time, it seemed odd that Russian state hackers would go after sports organizations, as this is not the usual target of a state-sponsored group of pirates. But according to Booz Allen, the WADA that banned Russian athletes at the Olympics was a public shame for the Russian state, and effectively broke principle # 17 of Russia’s military doctrine, which saw the AMA ban as a attack on Russian history, spiritual and patriotic. values ​​and traditions.

True to its military doctrine, the Russian unleashed his GRU hackers, triggering some of the state’s unsupported piracy campaigns seen this decade, alongside the 2014 Sony hack.

  • The GRU hacked the World Anti-Doping Agency (WADA) in 2016 and was leaked through false proxy hacktivist identities, Athlete Therapeutic Use Exemptions (TUE).
  • The aim was to establish a false sense of moral equivalence between Russian athletes who doped themselves and athletes from other countries using doping substances for medical reasons. This narrative was strongly fueled by the Russian state media, once the GRU leaked TUE files.
  • GRU hackers also sought to sabotage and crash the 2018 Winter Olympics, two years later, in response to Russian athletes still banned from the Olympics.

Dozens of other case studies are detailed in the report by Booz Allen.