The Russian Sleuth Who Outs Moscow’s Elite Hackers and Assassins

Credit to Author: Andy Greenberg| Date: Thu, 21 Feb 2019 16:10:38 +0000

Ten years ago, Roman Dobrokhotov sat down in the front row of a Kremlin auditorium, surrounded by a polite audience of journalists and dignitaries attending a speech by Russia’s then-president Dmitri Medvedev. Medvedev was only a few minutes into his address on the importance of the country’s constitution—which he had just amended to allow Vladimir Putin to serve as president again—when Dobrokhotov stood up, turned around, and addressed the audience himself.

“Why listen to him? He’s broken all our human rights and freedoms,” Dobrokhotov said in a loud, clear voice. “And he tries to tell us about the constitution!”

Dobrokhotov still remembers the faces of the people around him. “They tried to pretend they couldn’t hear, but the acoustics were actually very good,” he says. In a typical scene of Kremlin doublethink, Medvedev told the crowd that the young heckler should have the right to speak, even as security guards covered Dobrokhotov's mouth and hauled him out of the room.

Today, Dobrokhotov has found a better megaphone. And the 35-year-old Muscovite is using it to broadcast something that’s much harder for the Kremlin to ignore: the secrets of one of its most aggressive and dangerous spy agencies.

Over the last two weeks, the investigative news site Dobrokhotov runs, the Insider, has published a series of exposés on the alleged third agent of the Russian military intelligence agency known as the GRU involved in last year’s attempted nerve-agent assassination of Russian defector Sergei Skripal. The attack resulted in one person’s death and the hospitalization of three others, including Skripal and his daughter.

The Insider's reporting, published in collaboration with researchers at the website Bellingcat, has shown that the accused man, Denis Vyacheslavovich Sergeev, appears to be linked to a separate attempted killing with a nerve agent poison in Bulgaria in 2015. Their stories exposed yet another alleged GRU assassin's identity, hinted at the wider extent of Russia's use of chemical weapons in assassination efforts, and established an apparent new link between Sergeev and a private mercenary company known as the Wagner Group.

"To do that work from Russia takes a remarkable amount of courage."

John Hultquist, FireEye

For the Insider and Bellingcat, they’re also just the latest in an ongoing series of revelations they’ve made about the GRU, an agency now believed to be responsible for everything from the Skripal assassination attempt to the hacking and leaking operation targeting US and French elections.

A significant portion of what the world knows about the GRU's involvement in those recent scandals comes from the work of Dobrokhotov's site and its Bellingcat partners. The Insider has revealed the GRU's role in hacking the emails of French presidential Emmanuel Macron ahead of the country's 2017 election—even naming the specific GRU unit responsible—months before an indictment by US special counsel Robert Mueller exposed that same unit's hacking efforts in the US election. Dobrokhotov has helped to identify two Russian military officers allegedly involved in the downing of Malaysian Airlines Flight 17 over Ukraine, which killed all 298 civilians on board. And most recently, it has worked with Bellingcat to investigate Skripal's would-be assassins, identifying two of the three alleged GRU killers by name last year before completing the trifecta last week.

Dobrokhotov says he never exactly made a decision to target the GRU, which for decades has remained even more opaque than fellow Russian intelligence agencies like the FSB or SVR. "We just start to investigate one story and it turns out to be a GRU officer. Then we investigate a totally different story and it seems to be a GRU officer again," Dobrokhotov says in English that he has honed with hours of watching Stephen Colbert. "They're just so active, and they make so many mistakes, that they pop up in every investigation."

But while most of the international credit for that string of GRU revelations has gone to Bellingcat, Dobrokhotov and his staff have taken on higher stakes. Unlike Bellingcat's researchers, they're Russian, and live in close proximity to the very spies and assassins they're exposing. That has allowed them to run down some details of their investigations that Bellingcat never could have otherwise. It also puts them at far greater risk of arrest—or worse—than their international collaborators.

"I'm astonished by their ability. They're extraordinary investigators," says John Hultquist, a former State Department staffer and current researcher at security firm FireEye who has focused for years on GRU hacking. "To do that work from Russia takes a remarkable amount of courage."

Or as Thomas Rid, a cyberconflict-focused professor at Johns Hopkins puts it: "These stories mean more in Russian. The consequences of stepping on someone's toes in Russia can be far graver than they are here."

But when I met up with Dobrokhotov last November in a central Moscow bar—the closest thing the Insider's dozen-person staff has to an office—he told me he has no misgivings about taking on this particular adversary. "The choice is very simple. if you want to be a journalist in Russia, you either choose the real topics, the most important topics, or you’re not a real journalist," he said. "If you write about traffic jams, that’s fine in Switzerland or Sweden. But in Russia you have to work on these topics, because they can change society."

Long before becoming a journalist, Dobrokhotov spent his adulthood fighting the Russian government's secrecy, censorship, and corruption. He took part in his first protest as a first-year college student, after the Kremlin's takeover of the independent television station NTV in the year 2000. Later, he founded the dissident group known as "We"—created in opposition to the pro-Putin youth group Nashi, which translates to "ours." He also helped organize events like a circle of thousands of people dressed in white, holding hands around the entire center of Moscow in 2012. In a commentary on free speech, he led a group of protestors with white tape over their mouths, standing outside the Russian government building known as the White House with blank signs. Police spent 10 confused minutes trying to decide whether he was for or against Putin, Dobrokhotov recalls, and then arrested him anyway—one of more than 100 times he says he's been detained.

"If he'd been born in 1880, he'd be one of those guys throwing bombs at the czar," says Aric Toler, one of Dobrokhotov's collaborators at Bellingcat.

By 2013 Dobrokhotov had finished his PhD, and felt he had outgrown the youth movement. So he made the switch to full-time journalism. "There are many people who can organize big protests," he explains. "As an investigative journalist, I don't have that many competitors."

The Insider made some initial ripples with corruption exposés on Medvedev, state oil firm Gazprom, and dozens of high-ranking Kremlin officials. But its first scoop to get the attention of the West came in 2017, when Dobrokhotov started looking into the hacking of En Marche, the political party of French president Emmanuel Macron, whose emails were stolen and leaked just ahead of France's election.

France's own cybersecurity agency, ANSSI, had declared no trace of Russian hackers targeting the campaign. But one of the hacked emails contained metadata that identified a user who had at some point touched the documents: Georgy Roshka. Dobrokhotov and his staff found that same name was listed as a representative of the technology firm Eureca at a conference in 2014, but Eureca denied Roshka was an employee. So the Insider staff painstakingly contacted dozens of the conference's other participants until they obtained its attendee list from the previous year, and found Roshka plainly listed as a member of GRU Unit #26165, based at 20 Komsomolsky Prospekt in central Moscow. It would be nine more months before the same unit number and address was revealed in Mueller indictment of GRU hackers meddling in the US election.

Dobrokhotov's collaboration with Bellingcat began last year, when he responded to a photo on Twitter posted by Bulgarian Bellingcat researcher Christo Grosev, showing what appeared to be a GRU officer in Montenegro. They began sharing information, and months later would together identify three GRU agents they believed to be involved in an attempted coup against Montenegro's pro-NATO government.

Around the same time, Ukrainian intelligence and the Dutch government publicly released intercepted radio conversations among the pro-Russian soldiers suspected of shooting down down the Malaysian Airlines flight MH17 over Ukraine. Bellingcat and the Insider believed two Russian officers might be involved based on partial names in the recordings. Dobrokhotov called them up, posing first as a friendly journalist and then as a survey taker. Bellingcat and the Insider then forensically matched the voice recordings from those calls to identify two GRU officers, Nikolai Tkachev and Oleg Ivannikov.

“We would not have been able to do this work remotely,” says Bellingcat’s Grosev, who says he now speaks with Dobrokhotov daily to brainstorm leads and investigative ideas. “And few Russian journalists have the courage to call up a top GRU colonel responsible for hundreds of deaths abroad and pose as a pollster. But this is the kind of work Roman is amazingly good at.”

Just a few months later, in September, British police released CCTV photos and pseudonyms of two Russian men believed to have poisoned GRU defector Sergei Skripal with the Novichok nerve agent in the UK town of Salisbury. Bellingcat and the Insider began combing through leaked databases of Russian passports, flight manifests, and car registrations, some of which Grosev had obtained from underground sources. They worked from a hypothesis based on a pattern they'd found in GRU cover stories: The men's last names were often fake while their names and patronymics—Russian middle names based on a father's given name—were real.

Amazingly, they say they were able to find matches for both men in their documents and learn what they believe are their full identities: Alexander Mishkin and Anatoliy Chepiga. (The same techniques would allow them to identify Sergeev, the alleged third agent involved in the operation, months later.) With only a night before publication, Dobrokhotov even sent an Insider staffer to Mishkin's tiny home village in Western Siberia. A family acquaintance there proudly identified Mishkin and matched him with a picture taken from Russian television, where the two killers had given an interview under their pseudonyms, claiming to be mere tourists in Salisbury.

When Dutch authorities released the names of four more GRU agents caught attempting to hack into the Organization for the Prohibition of Chemical Weapons in the Hague, Bellingcat and the Insider were able to cross-reference those names against their list of leaked car registrations. The additional names confirmed that more than a thousand GRU agents appeared to have registered their real names to GRU building addresses—a massive, embarrassing leak of the agency's secrets that Dobrokhotov says has already aided their investigations and will likely serve as a powerful tool in future ones.

"It's like reading a detective story," says Dobrokhotov, who notes that he was a fan of Sherlock Holmes growing up. "With one link, you pull out the whole chain."

But as Dobrokhotov's team continues their serial GRU revelations, the question looms: Can they continue to expose the agency's alleged spies and killers without becoming a target themselves? Dobrokhotov notes that he could easily be arrested for exposing state secrets at any time, but says he's so far faced no reprisals. The Russian government has instead focused its criticisms on Bellingcat, accusing it of serving as a tool of foreign intelligence agencies. (Dobrokhotov was, however, barred from attending a press conference Putin held in December—perhaps not a surprise given his 2008 Medvedev disruption.)

“Every time he’s meeting me or anyone else in Europe, often on the day we publish a story, we try to convince him to take a few days, to not go back to Russia, to let the dust settle. He never does,” says Bellingcat’s Grozev. “On a scale from one to one hundred, he’s a hundred in terms of his bravery and willingness to risk everything to get the story out.”

Despite the steadily growing number of reporters murdered for taking on Russia's ruling class, Dobrokhotov argues that he's unlikely to be killed or arrested for his work on the GRU. It's more often the oligarchs and lower-level politicians in Putin's orbit, he says, who give the order to kill a journalist. Then again, he points out minutes later, the Insider has published investigations about those people, too. "We don't have any red lines we won't cross," Dobrokhotov says. "We haven't gotten a warning, but these people don’t warn. They just react without warning."

Dobrokhotov says he takes precautions. He encrypts his communications, talks in person whenever possible, avoids walking empty streets, and works under the assumption that his cell phone is tracked and his home is bugged. "These measures aren’t enough to stop possible killers. But it makes it impossible to do it without leaving any traces," he explains. "If you’re always in the light, society will know who did it, and that's very politically costly."

Regardless, he says he refuses to let the ever-present risk of arrest or even death change the Insider's coverage. "If I changed my job and started doing something else, then I would have lost without even having a real fight," he says.

When he considers his odds, he compares them to those of his grandfathers, both of whom served in World War II. In that war, Dobrohkotov notes, men on the front lines had a dismal chance of survival—around 40 percent of all Russian men who were 18 at the start of the war were killed. One of his grandfathers was even underage at the time, Dobrohkotov says, but volunteered to fight anyway. "I've just risked being imprisoned and a very small chance of being killed. So why would I be scared?" he asks. "It's the same question of fighting against fascism now as it was then. This is about the freedom of the country, the future of our children."

https://www.wired.com/category/security/feed/