Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28

Ukrainian hacktivist team Cyber Resistance hacked the email of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU), leader of the Russian hacker group APT 28, consisting of officers of the 85th Main Special Service Center of the GRU, military unit #26165. Dumps of his private correspondence were exclusively provided by the hacktivists to the volunteers of InformNapalm volunteer intelligence community for analysis.

In this article we will disclose all relevant personal information regarding this Russian intelligence officer wanted by the FBI. We will wrap up with a story of a creative punishment through “moral humiliation” of the Russian hacker by Ukrainian hacktivists with an order on AlịExpress.

APT 28 and Lt. Col. Morgachev

APT 28 (also widely known as Fancy Bear, Pawn Storm) is one of the most notorious Russian hacker groups accused of many cybercrimes around the world. This structure is directly subordinate to the Russian military intelligence agency. It has carried out numerous cyberattacks against government and non-government targets in the United States, Germany, Italy, Latvia, Estonia, the Czech Republic, Poland, Norway, the Netherlands, Ukraine and other countries. In July 2018, the U.S. Justice Department issued a formal indictment of 12 GRU employees for hacking into the servers of the Democratic National Committee (DNC) and attempting to interfere in the U.S. elections. It was established that the structure included the GRU personnel serving in military units #26165 and #74455. Among the 12 names mentioned in the indictment there is an entry about Lieutenant Colonel Sergey Morgachev.

By the way, in Morgachev’s mail we found a message from Apple dated 2018 informing him of a request for his account data from the U.S. Federal Bureau of Investigation in connection with his newly acquired wanted status.

The hacktivists retrieved many interesting details from Morgachev’s emails, both about his personal life and his current place of residence and service in 2023.

They were also able to obtain numerous images with scans of personal documents of Morgachev and people associated with him.

Sergey Aleksandrovich Morgachev was born May 22, 1977 in Kyiv, Ukraine. From 1994 to 1999, he studied at the FSB Academy in Moscow. From 1999 to 2022, he served in the military unit 26165. Read below about his current duty station in 2023.

He is a Russian citizen. New passport: #4622 608349, issued by the Main Directorate of the Ministry of Internal Affairs of the Russian Federation in Moscow Oblast on 12.07.2022. Registered and resides at: 6/8 Dekabristov Street, ap. 249, Korolev city, Moscow Oblast, Russia.

He has a Toyota RAV4 car, number plate: Р778CB750, driver’s license: #9902 449278.

Title documents for the apartment

From the message dated June 29, 2020, we could also confirm Morgachev’s current place of residence and look into the acquisition documents for his apartment.

• Apartment specifications sheet (PDF)

Personnel files

According to the scanned copy of Morgachev’s “Form 4” found in his mail (filled out to receive security clearance to state secrets), he served in the above-mentioned military unit 26165 from August 1999 to August 2022. Prior to his transfer to another duty station, he held the position of the “Deputy Head of Directorate – Head of Department in military unit #26165“. From August 2022 to the present time, he has been working as a “Category 1 Programming Engineer” at SPECIAL TECHNOLOGICAL CENTER LLC [Rus.: ООО “СПЕЦИАЛЬНЫЙ ТЕХНОЛОГИЧЕСКИЙ ЦЕНТР”]. The questionnaire also indicates the actual address of his current duty station: 21 Gzhatskaya str., apt. 53, St. Petersburg, Russia.

SPECIAL TECHNOLOGICAL CENTER LLC (STC) (archive) plays an important role in supporting the armed aggression of the Russian Federation against Ukraine. According to the official website of the National Agency on Corruption Prevention of Ukraine, sanctions have already been imposed on this organization by the United States, Great Britain, Canada, Switzerland, Japan, EU member countries and Ukraine.
The fact that Morgachev is serving in the STC is also confirmed by his correspondence with the personnel department.

Among the retrieved documents, there is his fresh medical certificate (of December 13, 2022) necessary for the security clearance to work with the classified documents.

The questionnaire files also contain information about the position and specifics of his activities while serving at the Russian Ministry of Defense, as well as the desired salary that Morgachev would like to receive at his new duty station.

Sergey Morgachev’s CV was compiled on August 5, 2022, on the eve of the transfer to a new duty station. In his CV, he noted that from 1999 to the present time, he had served in a military unit of the Russian Ministry of Defense. He managed the special software development department. His duties included the personnel selection and control of the department work, distribution of tasks, interaction with other units. That is, the CV indirectly confirms that Morgachev led a group of military hackers at the GRU. Interestingly, he indicated on his CV that he was “not prepared to move“, but would be willing to do duty trips if they weren’t very frequent.

According to the income statement, Morgachev’s monthly salary at the end of 2022 was 250-300 thousand rubles.

Hacking into a personal account on the Russian state services portal

By gaining access to Morgachev’s personal account on the Russian government services portal, hacktivists also confirmed the data previously obtained from documents scans, as well as the addresses of his current place of service and residence.

Marital status: married, with two minor children.
Wife: Yekaterina Viktorovna Morgacheva, July 22, 1988.

Pictured: Yekaterina Morgacheva and Sergey Morgachev.

In general, there is a lot of interesting and varied information in the dumps of Morgachev’s correspondence: from vacation and birthday photos with colleagues to technical documentation.

Cobalt Strike 4.0

Some of the relatively recent technical documents found in Morgachev’s mail include files with notes regarding patches for Cobalt Strike, a platform used by hackers for cyberattacks:

• Patch Cobalt Strike 4.0 (PDF)
• Patch Cobalt Strike 4.0 Stage X64 Bugs (PDF)

Revenge is a dish served cold, or the final “act of moral humiliation”

Before wrapping up this article, it is worth mentioning the old story of the first encounter of InformNapalm and Fancy Bear.

In the first week after Russia’s full-scale invasion of Ukraine, on March 2, 2022, Reuters cybersecurity journalist Raphael Satter posted a thread of tweets with an interesting account of how a massive attack by Russian hackers from APT 28 was exposed thanks to a threat warning shared in April 2015 by a volunteer administrator of the InformNapalm website.

In 2015 and 2016, Russian hackers from APT 28 sent multiple phishing emails to volunteer admins of the InformNapalm website. However, as evidenced by their own stats table, not a single phishing Bitly shortened link was opened. However, these unsuccessful attempts to attack InformNapalm led to the discovery of a large network of targets and attacks on them by Russian hackers. The most high-profile of these attacks was the hacking of the Democratic National Committee (DNC) mail server and an attempt to interfere in the 2016 U.S. election.

In March 2023, the leader of this Russian hacker group, Lieutenant Colonel Sergey Morgachev, was himself hacked by Ukrainian hacktivists, who carried out a symbolic act of moral humiliation after breaking into his personal correspondence.

First, the hacktivists gained access to his anonymous social media accounts and posted scans of his passports there. Here, for example, is a screenshot of his Twitter account made after the hack.

Having also gained access to Morgachev’s AlịExpress account, the hacktivists ordered several dozen different items to the address linked to his account, including souvenirs with the FBI logo (by which he is wanted) as well as a large shipment of adult toys, which they paid for with his card.

As Morgachev is wanted by the FBI, he receives orders from his AlịExpress account [email protected] in his wife’s name.

Here is one of the fresh emails from the dump indicating that one of his recent AlịExpress orders made in March is already on its way and is being sent to the postal address in a shopping center in Korolev city, at 15 Stroiteley street.

This also additionally confirms that the Morgachevs actually reside at the registration address indicated in the documents: 6/8 Dekabristov Street, ap. 249, Korolev city, Moscow Oblast, Russia. The distance from his house to the post office where he receives orders from Alị Express is only 140 meters.

The dump

Ukrainian hacktivists from the Cyber Resistance team handed over a complete dump of Morgachev’s correspondence and personal files for publication, so that all interested parties, from the FBI to journalists, experts and members of the public, could independently investigate the facts set forth in this publication, and find other information that may be useful for further investigations (links to the email dump will be added in the near future along with translations of the article into other language versions).

P.S: We thank our hacktivist friends from Cyber Resistance for the exclusive opportunity to jointly work on this investigation and make this story public. We invite readers to subscribe to our telegram channel, where we publish much more information than gets to InformNapalm website.

Read more publications based on the data from Cyber Resistance hacktivists

• Hacking a Russian war criminal, deputy commander of the OMON of the Krasnoyarsk Krai.
• Hacking a Russian war criminal, commander of 960th Assault Aviation Regiment.
• Hacking Russian Z-volunteer Mikhail Luchin who ordered sex toys for $25,000 instead of drones for the Russian army..
• BagdasarovLeaks: hacking ex-member of the Russian State Duma Semyon Bagdasarov. Iranian gambit.

原文始发于informnapalm：Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28