Roshka and Russian Hackers. The GRU broke into French President’s mail box

Last week, the Insider, a Russian independent online media outlet, published an investigation on how Russian intelligence agencies were involved in hacking the mailbox of the French President Emmanuel Macron. Free Russia Foundation has translated this story into English.

Last Thursday, Guillaume Poupard, director general of the French government cyber-defense agency (ANSSI, declared that the ANSSI found no “Russian trace” in the cyber-attack against French President Emmanuel Macron.

Russian President Vladimir Putin made a vague comment earlier the same day saying that even though the hackers could have been Russian nationals, they were by no means linked to the Russian government.  However, as The Insider found out, the people involved in hacking Macron’s e-mail were directly related to the Russian government: they were officers of the Main Intelligence Directorate of the Russian Armed Forces (GRU), the Russian military spy agency.

In early May, The Insider had already written that the name of Georgy Petrovich Roshka was found in the metadata of the hacked e-mails.  At that point, there was not much known about this person: we were aware that as a ZAO Eureca employee he had been present at the IT Conference PAVT-2014, as well as the Eureca was working closely with the Russian Defense Ministry. We have also managed to find out that there was another man who along with Roshka was representing the Eureca at the Conference: Sergey Zaitsev, who was working at the Defense Ministry Center for Special R&D.  This Center was hiring professionals in software engineering and cryptography.  The Insider inquired with Eureca regarding these people and was officially told that Roshka had never worked with this company, and Eureca had never sent its representatives to the PAVT-2014 Conference. Eureca added that according to “open sources”, Roshka had also participated in the 2016 and 2017 PAVT conferences, though in a “different status.” Eureca didn’t specify neither the Roshka’s status nor what kinds of “open sources” it was talking about. An Internet search didn’t find any signs of Roshka’s involvement with the later conferences, or any other mention of his name.  As a result, The Insider tried to inquire with the conference hosts about this information.  This was when the odd things began. 

Special-ops Conference

One of the Conference’s key hosts, PAVT Program Committee co-chair Leonid Sokolinsky (systems programming department chair at the South Urals State University) told The Insider that he was unable to provide the Conference participants lists for 2016 and 2017 due to a “database glitch, which destroyed the discs and the information they stored.” According to Sokolinsky, this happened because the data storage system was antiquated. He added that “anyone off the street” could register for the Conference and no one would bother to verify his affiliation.

We felt we were out of luck.  But just in case we decided to check with another Conference host, chair of the Moscow State University Supercomputers and Quantum Information Department Vladimir Voevodin. To our great surprise, he gave us a completely different answer: the list of participants does exist; he has it, but can’t share it with us due to a privacy protection rule. We reminded him that back in 2014, the list of participants was available at the Conference site.  Voevodin replied that the privacy protection rules became stricter.

While answering the question about registration, Voevodin pointed out that anybody could apply, but then “the experts would assess each applicant’s work, and only the best would be admitted.  Every admitted applicant should have a presentation.”  He also specified that that the hosts would never verify the affiliation of a participant. “All we care about is the scientific component of the presentation and how it fits the Conference’s profile.”

Well, it sounded very convincing, except that Roshka didn’t do a presentation at the Conference, and the list of the participants was significantly larger than the list of presenters. It also didn’t look like anyone off the street could take part in it, since military officers were registered in the list.  For example, Ivan Kirin, Andrei Kuznetsov, and Oleg Skvortsov have indicated their affiliation with Military Unit #71330.

According to the open sources, this military unit deals with ELINT, intercepts, and decoding. Alexander Pechkurov and Kirill Fedotov have listed their affiliation with Military Unit #51952, which is part of the FSB 16th Center of Intercept. Besides, among the Conference participants we have identified three employees of FGUP (federal state unitary enterprise) R&D Center Kvant, which is a part of the FSB. Back in 2015, the Kvant was caught red-handed while dealing with hackers.

How were intelligence officers able to register openly under their real names? Vladimir Voevodin told The Insider that “secrecy is the business of participants, the onus is on them.”

However, we still didn’t have an answer for our main question: who is Mr. Roshka and what was his affiliation at the following Conferences?  In order to find out, The Insider sent out letters to every PAVT2014 participant with a request to share with us the lists of PAVT2016/2017 Conferences’ participants.  One person sent us both lists.

Free Russia Foundation THINK TANK

The Military Unit #26165 is also known as GRU 85 Main Special Service Center dedicated to cryptoanalysis.

 GRU hackers

After the mysterious death of GRU chief Igor Sergun, it was widely expected that Sergei Grizunov, the head of the 85 Main Special Service Center, would replace him.  However, he just became a deputy of the new chief, Sergei Korobov.  Both Gizunov and Korobov are under U.S. sanctions for “activities to undermine democracy in the U.S.,” – for hacker attacks, in other words. While Korobov was punished for simply being the head of the GRU, Gizunov could have been directly involved in the cyber-attack, since he was a cryptography expert, and published a number of works on this topic. 85 Main Special Service Center (it is located in Moscow, 20 Komsomol’sky Prospect, a historical building constructed in the times of Tsar Alexander I) is also dedicated to this issue.  It seems that this is Georgy Roshka’s workplace.

Sergey Zaitsev, who came along with Roshka to PAVT-2014 as a Eureca representative, was later identified as the Defense Ministry Center for Special R&D employee. He was not present at the PAVT-2016/2017 Conferences. What caught our attention was that in 2016, Roshka registered his affiliation with a military unit, and in 2017 he was “a Center for Strategic R&D researcher.” He was likely referring to the Defense Ministry Center for Special R&D (it would be hard to imagine that he suddenly joined the eponymous center led by the former finance minister Kudrin.) However, it should not be ruled out that his job was a simple cover up: just to write something on the registration form. But then why did Roshka register as a Eureca employee back in 2014?  Was it also a cover up? Or was he somehow involved with it?

Eureca and the hackers factory

Eureca has denied any connection with Roshka:

“This is to inform that for the period from 01.01.2003 through 05.10.2017 Georgy Petrovich Roshka has not worked at ZAO Eureca INN 7827008143 on permanent basis, and no civic-legal contract was ever signed with him.  Neither was Georgy Petrovich Roshka found in the list of the training center students, nor in the Eureca.ru domain’s database.”

We couldn’t check the veracity of this response. However, the Eureca training center was worth a second look. Officially, it does “IT courses.” But sources well familiar with the company (who requested anonymity) reported that among other things, this very Eureca training center teaches special services officers how become hackers.

The Defense Ministry does not deny that the cyber troops exist, though it has never specified where the hacker training factories are located. 118 Moskovsky Prospect could be one of these places as well.

Free Russia Foundation THINK TANK

As the Municipal Scanner Project managed to find out, one of the three Eureca co-owners Alexander Kinal had acquired an apartment in an elite housing complex at the Kamenny Ostrov area of Saint-Petersburg, 19 2-nd Berezovskaya alley last February.  The Insider has already written about this building, where people from Putin’s close circle live: his judo teammate Arkady Rotenberg, former head of the Presidential Administration Vladimir Kozhin, some fellow members of the Ozero cooperative: Nikolay Shamalov, Yury Kovalchuk, Sergey Fursenko, and Viktor Myachin) and the former leader of the Malyshevskaya criminal gang Gennady Petrov.  According to the Municipal Scanner, it was Petrov’s apartment (estimated price is $9 mln. for 478.4 sq. meters) which Kinal actually purchased.

The Stage of Denial

Symptomatically, Vladimir Putin did not deny the hackers’ connection with Russia that vehemently: they could have just been Russian patriots, who acted independently from the government:  “The international environment does matter in this case, because hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia. Is this possible? In theory, yes it is. We are not engaged in this on the state level and we are not going to, and this is the most important thing.»

It was not by chance that Putin has mentioned “artists.”  After studying the activities of groups known as Fancy Bear and Cozy Bear, dozens of organizations from various countries working on cyber security have collected sufficient data to prove that these two organizations are based in major Russian cities, speak Russian, work on the Russian working schedule (taking breaks on days which are holidays in Russia) and attack the same targets, which might be of interest for the Russian governments both overseas (Hillary Clinton, Emmanuel Macron, a number of European politicians and journalists, NATO military facilities, targets in Ukraine and Georgia, etc.), as well as domestically (opposition activists, journalists, NGO activists.) By now, it is impossible to deny the connection between these two groups with Russia. However they could be presented as independent subjects, as much as “Novorossia militia” (separatist fighters in Eastern Ukraine) were presented as independent actors.

Previously, this excuse could be denied only through indirect evidence (for example, by the fact that, according to experts, the Fancy Bear and Cozy Bear operations would require a well-funded large number of well-trained professionals employed on a permanent basis, and no “artists” would be capable to perform such a task. GRU involvement has now been confirmed with direct evidence. Putin’s theory that “someone just inserted a memory stick with the name of a Russian citizen” is hardly convincing: Roshka’s name never emerged before, neither in the hackers’ nor the GRU’s context (and probably would never emerge, if it weren’t for this investigation), therefore could not have been used for purpose of provocation.

This article was prepared in cooperation with Anastasia Kirilenko, Sergey Kanav, Iva Tsoi and Anna Bagiashvilli.

This article first appeared in Russian at the Insider’s site.

check other materials