Loading summary
Tom Muran
Hello everyone, this is Tom Muran. I'm here with the Gruck for another between two nerds discussion. G' day, Grok. How are you?
Grok
G' day, Tom. Fine, and yourself?
Tom Muran
I'm good. This week's episode is brought to you by Push Security. They make an in browser agent that makes sure that your corporate identities don't end up being sprayed all over the place by accident. Check them out@PushSecurity.com so this week there was this fascinating report from the Insider, which is a magazine newspaper that looks at what goes on in Russia. And this article was written by Christo Grotsev, Roman Dobrikhotov and Michael Weiss. And familiar with Christo Grotesev. He used to be at Bellingcat. And so bellingcat does these huge deep dive investigative open source reports. So famously, they tied the poisoning of Sergei Skripal, who was a former KGB spy who had defected to the uk. He was poisoned at home in Salisbury with a nerve agent. And Bellingcat tied that attempted assassination to Russian intelligence, specifically, specifically this unit known as unit 29155. So it's Russian military intelligence, the GRU, and it's.
Grok
And two innocent GRU agents who happen to be in Salisbury to look at the Cathedral Tower. That's coincidentally at the same time as they went to visit Skripol at home and he wasn't there.
Tom Muran
I mean, those poor GRU agents. So that unit, which I hadn't heard of until that incident. So Grotesv was involved in the work that unravelled that. So the Insider did a deep dive into how unit 29155 got into cyber operations. So they've. In recent times there's been more reporting about how they're doing cyber stuff. And to me it was always entirely a mystery. How does a group of essentially thugs, like the type of people who would do sabotage operations and assassinations, are not your typical keyboard warrior.
Grok
Those are not usually two things that go together. It tracks people down and murders them and also makes up stuff on the Internet and lies on Twitter. I mean, I guess if you're killing people, you're not above lying on Twitter. But it doesn't seem necessarily like.
Tom Muran
Yeah, yeah. And so even in Mission Impossible, they've got the Tom Cruise character, what's his name, Ethan Hunt, who does all the stunts. He's a good version of unit 29155. And then they've got the hacker type, Simon Pegg, who does all the hacking stuff. They're two different people and there's no reason that they're two different people. And so I guess we'd talk a bit about this article and look at what it tells us about Russian cyber organization and culture.
Grok
Right. So I'm just thinking, does this mean that if you're a hacking unit, a cyber unit in gru, you suddenly expand into assassinations as a side hustle?
Tom Muran
Well, there's a mystery here. The article, I think, first of all, it's fascinating that it talks about what type of information they based it on. So let me just find it. The insider has spent a year investigating the hackers of unit 29155, relying on a trove of leaked emails, social media posts, phone records, and crucially, unprotected server logs. And left behind burner emails and disused VK and Twitter account. It's just like it wasn't burn after reading just so much as just leave it lying around after we're finished.
Grok
You know, you can find articles talking about how bad using email for covert communication like these. Go back 20 years, you can find articles saying, like, do not use, like an email account for. For Covcom. I mean, some of the stuff that struck me was that they had these VK accounts. That's the Russian Facebook. So they were using VK accounts and they were just messaging each other reports. These were like operational reports of their activities being sent over VK messenger.
Tom Muran
And then they didn't even bother. Like, they didn't even delete the logs. They just left them there. So I think that's. That's fantastic that they just leave that behind. It's so good where good is bad. And it seems that hacker number one, patient zero, I guess for 29155, when it comes to hacking, was just a cybercriminal. And it's not really clear how he ends up there. Yeah, I can only assume that the boss of the unit at the time just decided that we'll get into this line of business, we'll get into hacking. And the guy, the criminal is Tim Steagall. So he's an ethnic Chechen, so I'm probably totally pronouncing his name wrong, but he had been a cyber criminal for some time, and then all of a sudden he just ends up in the gru.
Grok
Like, there's definitely something missing there.
Tom Muran
Yes.
Grok
Like this is. There's a very clear step to. That's not.
Tom Muran
Like the whole article is great. It's got this a whole lot of color. Apparently Steagall has a still active finance blog, so he's an active blogger writing about Finance. So this is back in around 2014, I think. And he joins the GRU. They've actually got some of the ID cards that he used around that time under different names. And he traveled to different countries under this false identity. It's not clear why a hacker needs to travel. Like there being cases where the GRU or Russian intelligence has done close access operations trying to intercept off WI fi or gain access through WI fi, so who knows? And then he's involved in a series of hack and leak operations. So one of them is the compromise of Qatar's state bank. Is it Qatar or Qatar?
Grok
Qatar, according to the Qataris.
Tom Muran
Okay.
Grok
And that's what they said when I was there. So I don't. I mean that's. That's all I know.
Tom Muran
Yeah, yeah. So the motivation there was that the Qatari royal family was supporting the, the rebel groups opposed to the Syrian regime of Bashar Al Assad. And Stiegal stole data from the bank and then he pulled out the dealings of the Qatari royal family. I think you've spoken about this before, where you can't just take a dump of data and then put it on the Internet and then journalists will go and do a wonderful job. It appears that he actually took it says one and a half gigabytes of data, leaked it all of it online, and structured the dump in such a way as to draw the focus to the financial dealings of the Qatari royal family and their government's intelligence operations. So that seems like. Actually that's probably like a job well done. I've never heard of this pack or this leak before, so I don't know whether that tells you whether it was successful or not.
Grok
It's news to me. So I think it made a big splash at the time since neither of us have heard of it until we read this article.
Tom Muran
And so this was done as a false flag operation. So the claim that Turkish hackers did it anyway. So there's a number of hack and leak style operations. I can only assume that the boss of the unit at the time said hack and leak. Here's something that we can get into and let's grab this Stegall guy and have at it. And so they do a number of those types of operations. Stiegl's allowed to recruit other criminals.
Grok
So I was just going to say the screenshot they have here of the tweet from when they were doing the Twitter false flags is obviously stolen from one of these internal reports because the pinned tweet is the one that was being used to Sort of instigate unrest. And you could see it was pinned 25 seconds before the photo was taken. And it's a picture of a screen, it's not an actual screenshot, right?
Tom Muran
Yep.
Grok
So this is absolutely one of their reports. Like, look at this thing that I put out.
Tom Muran
Yep.
Grok
They have nine followers.
Tom Muran
Yeah. So I think the insider says that they found a disused server that had several different 29155 reports of what they'd been doing. It's like just mild.
Grok
I feel like there's a lot of. The server fell off the back of a truck. Is that what happened?
Tom Muran
It's never quite clear how they get these. The information.
Grok
I mean, it's clear, but it's just not. I think we can all figure out what happened.
Tom Muran
One paragraph that speaks to that is the insider recovered it from text files sent between and among the hackers via a left behind email address that was used to register a burner account on Vcontactor VK, Russia's Facebook equivalent. The email and the Vcontactor direct messages were apparently used by members of unit 29155 for reporting purposes.
Grok
Just, I mean, that mirrors the ASD thing of using Gmail for all of their operational reporting, you know. And it's shocking that the sort of thing that you'd set up between an agent and an officer for control and this would be like, are we still meeting on Tuesday? Yes. Which would mean that the meeting for Thursday morning is still on.
Tom Muran
Yep.
Grok
Right. You would never use it internally because you'd use internal tools which are secure.
Tom Muran
Yes. I mean, it's mind boggling. Now I was wondering if this tells us that because 29155 is not a traditional hacking type outfit, they don't have the same OPSEC culture as the other gru, the true GRU hacking teams.
Grok
Yeah. Like the pedigree doesn't seem to be intelligence work. Right. Like the hacking was built up from a criminal who brought in other people and his era of criming was pre crackdown. Like, it seems that he comes from an era of a lot more laid back opsec because it just didn't matter.
Tom Muran
Yep. And that's what a criminal would do. They would use VK and direct messages and whatever.
Grok
Right. Yeah. And so it just. When they are learning to do stuff, they're learning from this guy who's got these old bad habits. But I think one of the other things that it suggests is that they're not in the office. Right. If you're in the office, then you can use the Internal secure mail and the internal secure messenger and you know, the phone lines and stuff like that. There's ways of doing secure stuff, but if you're outside of the office, maybe accessing that is a lot more painful and difficult. And so you would find secure enough solutions.
Tom Muran
Yeah. So it seems like there was Stiegl, then he recruited two other former criminals and that seems to have kicked along for a while. And then whatever it is they were doing was successful enough that they then started recruiting young people from capture the flag competitions. So I think it's interesting that even though there's nothing in here that we can see that strikes us as particularly a win, they were able to sell it internally as a. We want more.
Grok
Yeah, I mean the. They mentioned one of the things that was viewed as a huge success, it was an info op of some sort.
Tom Muran
So there is this part where it says internal chats seen by the Insider, like Incredible show that unit 29155 considered its biolabs series to be the crown jewel of its cyber information operations. The series was used to justify tens of millions of dollars in additional state funding for unit 29155.
Grok
So that's then spent on more VK accounts upgrading to premium Twitter.
Tom Muran
So they recruited a Bulgarian journalist who became a kind of cutout and would report basically conspiracy theory stuff. Her reporting became the bedrock of official Russian government claims about malign US scientific research into infectious diseases, all in the lead up to the 2020 COVID pandemic. So the GRU creates the lie, it's amplified by this journalist, it's picked up by Russian officials and then it becomes a sort of self licking ice cream. Yeah, and I guess of course Covid feeds into that. So that seems to be the, the single operation that actually justifies all the other stuff.
Grok
Very long ago when I worked at a startup, the CEO was this ex salesman. He was telling me that one of the ways that sales groups would work is that whenever a particularly lucrative contract was finally signed and there's going to be this big commission, they'd go and they'd pull out all of the expense reports that they hadn't submitted yet that were particularly dodgy, that they would then start attaching to this one sale dinner for three at some very expensive place, golfing out, golfing trip, helicopter ride with whatever and you start just assigning them to this one account so that you can submit everything and get it approved. And it feels very much like that, that they had this one thing luckily came through and so now they're right. Yes, they're all sort of hanging off the back of this.
Tom Muran
Yeah, yeah. So on one level, this part is speculation that the boss wanted to get into Hack and leak, the series of operations that we've never heard of, one that is probably boosted by the arrival of COVID 19. Like a 1 in 100 year pandemic.
Grok
The secret to information operations and comedy is timing.
Tom Muran
So what I like about it is that they've got the. Whatever the Russian word for chutzpah is to just go and do things and try it out. And that is entrepreneurial, it's innovative. I don't know if I've told this story, but once when I was working in defense, I went to my boss and I said to her, I want to try and do this thing. And she was like, what's it going to get us? And I was like, I don't know, but I know it's going to be great. And she accepted my word on that. And it feels like the Russians are operating.
Grok
That's just.
Tom Muran
Yeah, that's right. Now some of the stuff later on talks about how Stegall retires or removed or has health problems and resigns. He gets replaced by this guy called Roman Puntas. And Puntas leads the hacking team, but it says he had little understanding of it and relied heavily on his subordinates. He also appeared more interested in his personal pursuits than in winning the war. So this is during the war in Ukraine.
Grok
That sounds like every IT boss ever. You've got the guy who founds it, who sets the whole thing up and it's going really great and he retires and they bring in like the corporate guy who's the safe manager that, you know is a friend of the board and he doesn't know what he's doing, he's just taking a paycheck, basically. That's. That's what it looks like. It's. It's a traditional takeover.
Tom Muran
Yeah, yeah. And to me it speaks to like, you just do whatever you feel like. And so the previous boss was Steagall. You go and do this thing. He's given a fair bit of autonomy. He's the operations like, you can see how they are at least intended to align with Russian interests. Whereas this guy is just like, ah, whatever. So.
Grok
Yeah, yeah. But they align with Russian interests. But they're also sort of cheap and easy.
Tom Muran
Yeah.
Grok
Like they're not Operation Olympic Games. Right. Like they're not. They're not dark energy. They're not these big.
Tom Muran
So Olympic Games. That's the one that was reported by The New York Times guy, Sanger. David Sanger. Right. And his reporting is that the US had a whole lot of operations prepared to disrupt. I think it was Iran, Iranian infrastructure, in the event that a military confrontation was necessary. And the depiction in the book is that it was a whole series of things that would really have crippled Iran, who knows? Of course. But yeah, big picture, cyber Pearl harbor kind of stuff.
Grok
Right, right. You know, and dark energy. They take out, like they spend months learning how the Ukrainian electrical infrastructure works and then they disrupt it and knock out the electricity. Like it's a, it's a big thing with heavy investment. He's big on like Twitter accounts and hack and leak. So I think they're using this journalist as a cutout, but also she's doing the work that they couldn't do. They could get the data, but they couldn't craft a story, a narrative that they could then feed into the information ecosystem and sort of hope that it grows legs. Whereas that's the thing that she can do. She can take this and she can turn it into an actual story. So rather than a dump of the bank files, it would be, here is a corruption scandal as revealed by these bank files, or here is some sort of scandalous thing supported by this data.
Tom Muran
Yep, yep. So one of the projects that the insider uncovers, the internal 29155 report is called Graffiti in Cities. And I spoke with Patrick about this briefly and basically they just recruited people online to go around and do graffiti in Ukrainian cities. They were paying them like between one and five dollars for the graffiti, depending upon the importance and the risk involved in marking a certain location. The assets were also required to report their walking routes and the number of steps walked per day. So it's like your first newspaper job.
Grok
Yeah, yeah. But I mean, the, the thing is there's a bunch of people who have now been done for Russian sabotage.
Tom Muran
Yeah.
Grok
And they've been caught pretty much the same way. Like these are.
Tom Muran
Yeah. The technique has been applied to much more serious things.
Grok
Right. So they'll, there'll be things where these are like basically low level criminals who just don't want to get a job or can't get a job or for whatever reason they need to make money and they're looking for something that they can do that will pay well. That's not too hard. And they'll look online and there'll be these offers of like, you know, here's $5 to spray paint some graffiti. And like.
Tom Muran
Yeah.
Grok
So if you do like 20 of those, that's a hundred bucks. It's got to be, you know, like that's good money. You could probably do that in an evening.
Tom Muran
Yeah, yeah. So there is a story here about a particular firebombing where it looks like they paid a Ukrainian to go and throw a Molotov cocktail at a particular person's house. $7,000. So that is a hell of a lot cheaper than actually getting a real agent that you spent hundreds of thousands or millions of dollars training and false.
Grok
IDs and infiltrating into the country, putting him at risk of being arrested. You know, I mean, I like this. They didn't even pay the $7,000. He was only promised it.
Tom Muran
He was promised, never actually delivered.
Grok
Yeah, I mean that's the way to do it. Like what's he going to do? Complain to telegram? I was cheated.
Tom Muran
Yeah. So part of the work involved there was actually tracking down the address of the target who was a government official. And so apparently there was lots of officials with same or similar name. So they didn't actually know where this particular person.
Grok
More than one Igor is what you're saying?
Tom Muran
Apparently. Yeah, yeah. So that to me is interesting in that they had, it seems like not that good an idea like graffiti, but the techniques that went into that executing that like they've learned by doing and they can actually repurpose them to do things that seen to me would, would be a lot more impactful.
Grok
Right. But I mean it hasn't been one sided because there's also people in Russia who are getting paid to do things like park an electric scooter next to the, the foyer at an apartment and it'll, it'll contain a, basically a claymore mine that kills a, you know, GRU colonel or whatever.
Tom Muran
Right, right.
Grok
What's curious is that this has actually been a huge thing in Japan. They're not exactly crime syndicates. I don't remember what it's called, but basically the way that it works is essentially you sign up with the same sort of thing like carry a bag from point A to point B, it'll be full of drugs. Or get a car and wait on this corner at 4pm tomorrow. Three men will get in and you need to drive them where they want to go. And it'll be, you're the getaway driver for a, a bank heist.
Tom Muran
So it's like airtasker for crime.
Grok
Yeah. But like there's been big scandals and like there's a guy who got done because he organized like jewelry robberies where he'd basically be like this is a very easy task. All you need is a hammer, a ski mask and a backpack. Right. And then he'd send like four guys who didn't know each other because they'd all met up wearing ski masks, who'd all been signed up for this job. They'd show up, they'd smash and grab at a jewelry store, hand off to someone else and they'd get paid for it. And then they'd all get busted because that's what happens when you drive your car to a jewelry store. And he wouldn't, because he'd only spoken to them via telegram or whatever, or online messenger. And the whole thing became a huge scandal when there was actually a murder that was done. They'd hired a guy to kill someone and all these other dudes were like, I only drove the car. Like, you know, I only helped get her into the car. Like, yeah, I didn't actually strangle her. That's him. I didn't know what was going on. So. But that's a whole subculture that exists in Japan where they, like, that's what they actively do. So I, I don't know if that was inspiration for this or it's parallel convergent evolution.
Tom Muran
Yeah. From the perspective of a intelligence agency, that seems like an innovative thing to do. If you come from a culture of secrecy and not telling people what you're trying to do. Like, you don't trust random people with your sabotage.
Grok
Yeah. You don't go to the co op market and put up a little index on the board.
Tom Muran
But when you are thinking of the modern day world, it's like, well, of course it's. That's what people are going to do. Yeah. So I guess it seems like they've got this culture of whatever goes. They set up these small teams that don't seem to talk to anyone else within gru. Like there doesn't seem to be any deconfliction. I mean, maybe there is, but it's.
Grok
More of a cell structure in a way than an organization where you've got these independent units that are sort of like they're completely self contained. They don't seem to coordinate with others. They do their own operations internally.
Tom Muran
Yeah, yeah. In that operation with the Bulgarian journalist, I think it was just Stiggle by himself. He was messaging the journalist. He was doing. I don't know if there was any hacking involved. There was hacking at times, so it seemed like he was doing it all.
Grok
Yeah, yeah. So one of the other ways that I think we can see the internal structure of FSB and GRU is this report from the Ukraine cert from I think the first half of 2023. And they've got this matrix which shows the first six months and they've broken it out by each week. So across the top they've got each week and then down the left hand side they have every single group that they're tracking and then they have this heat map which shows sort of how many operations per week are being detected from this particular group.
Tom Muran
Yep, yep.
Grok
It shows in a way how there are these new groups being stood up to do things. Like you don't have like the hacker group that gets assigned tasks.
Tom Muran
Yeah, yeah. I described like ASD and NSA as like factories where they've got pipelines, but that way of working is totally different. It's like the small teams and I.
Grok
Guess, what sort of tradescraft in a way. Right. It's sort of like the skilled, artisanal, pre industrial. Yeah, there we go.
Tom Muran
Artisanal cyber espionage as opposed to industrial.
Grok
Scale, handcrafted with love. You know, the way it should be, just it's none of your factory espionage, you know, that sort of soulless big corporation.
Tom Muran
Yeah. So I mean that seriously does have advantages in that it enables you to be very flexible, enables you to focus on things that are important at the time.
Grok
Right. And it's, it also gives you a lot of initiative. Right. Because you've got all of these different teams doing creative things and yeah, they're going to screw up sometimes, but they're also going to get unexpected wins.
Tom Muran
Yeah, yeah. So the. I'm looking at that table and there's what, like 30, 40 different groups. Yeah, like a lot of them. And so in asd we would try and have our factory and also have small teams as well, but they were like very few of them because they were supported by a high priority from the director. And so that's kind of a mixed model where you do your factory and you also pick out a few things, a few little operations that you think are important enough that you can pull people out, whereas this is the exact opposite.
Grok
Yeah. But I think we can look at the other side as well, which is that one of the strengths of this is that you get the sort of handcrafted, artisanal, dedicated, flexible, high initiative, but limited resources I think is the downside. Right. There's an inherent limit on how much you can do with a team of five people who are not supported by a large organization as part of that same project.
Tom Muran
Right.
Grok
Like this group, this 21 955, they're not doing these big operations, they're doing these hacking leaks, they're doing Twitter accounts, They're supporting one single journalist who becomes their only point of access for leaking information. Right. They don't have a wide and diverse web. I mean, they're just using novichok to kill people. It's pathetic.
Tom Muran
One thing I was thinking about was around the time of the DNC hacks, so Hillary Clinton's chief of staff, John Podesta was hacked. It wasn't by this unit, but, but they had also, I think they used a link shortening service as part of their tradecraft. But then they'd left the shortening service open, I think is my recollection. So again, poor tradecraft. And it showed that they'd hacked thousands of people. Now I'm thinking about thousands of people. Sounds like a lot, but actually when you're a hacker team, it's not that many. Right. So is that maybe still also a small team just operating on themselves doing the email hacking stuff and it's not.
Grok
Thousands of people in one day?
Tom Muran
No, no, no.
Grok
This is over a time period, so it's not all that many.
Tom Muran
I don't know if it was successful hacks. I think it was the target list.
Grok
Yeah, well, like one single person working as an access agent for a ransomware team will attack 10,000 people in a day and expect two or three hits. So it's going to say one of the downsides of cells, and I think you touched on it when you were talking about bad tradecraft, is that it's very difficult to disseminate best practices because you have assuming that there's no competition between groups at all, that they're completely friendly, that they're willing to share everything that they have. If they've got a successful technique, they're going to share it with everyone else so they can all get better. Even with that, it's very, very hard to do because if you're in different teams you don't cross train. Right.
Tom Muran
There's no weekly stand up meeting and they're on different slacks and.
Grok
Yeah. Different VK groups.
Tom Muran
That's right.
Grok
Assuming that there's no competition between groups, it's still hard to do and I'm not sure that's a safe assumption. Like I think that there's probably some level of competition and some like we figured out a way of doing things that was working well for us. Let's keep doing this because then we can get all the renals and bonuses and promotions and all that stuff, rather than sharing it with everyone else.
Tom Muran
So what you say actually makes a lot of sense. Small groups. But the article going back to that doesn't give me the sense that they're necessarily working towards a common goal or have incentives to learn from each other, in the sense that there's a whole section that talks about the current leader of the hacking unit in 29155 is basically just feathering his own nest. So he's setting up in the front. Yeah, yeah. And so the incentive seems to be to give the impression that you're doing well enough. But there's no. It doesn't seem that there's a driver to improve because, you know, all these operations get busted, most of them are failures, yet the hacking team still grows in size. Like, it's the one. The one in 50 operations that kind of justifies the rest. And, like, some of the stuff is that he creates a front company to funnel money from the GRU to his mistress. And so what's the incentive? Whereas for a terrorist network, the incentive to improve your OPSEC is you get captured or killed.
Grok
Jail. Right.
Tom Muran
Like a very strong driver.
Grok
Right. And also the other thing with the terrorist network is the reason to be a terrorist is that you have a strong belief in a vision. Like, you're doing this thing to achieve something. Right. Like, you don't do it just because, like, you know, you were hanging out on a Friday night with the boys and we decided to go and, you know, do car bombs. It's not a thing that you just do casually because the repercussions are so high. And also, the steps that you. Like, you have to kill people. Like, you have to do these very transgressive things that a lot of human beings don't want to do by default. Right. So you need to have a strong moral conviction that what you're doing is worth the cost. Like, it's for a greater good. So it's okay to do this. It doesn't seem like these. Like, maybe Stigle had that going on, but I don't think Roman. What's it. Yeah, so I don't think Roman Pontus is necessarily on board in the same way. I mean, look, he does have his mistress getting paid, but she was also working on a PowerPoint slide for the. So I think, you know, she's sort of part of the team, if you think about it. She's sort of. She's a worker. Right. It's. It's.
Tom Muran
So there's a paragraph here. He sets up his mistress as an employee or a contractor for 29155, Pontus was able to use his position as the head of unit 29155 cyber department to give his second family their own corporate entity, which received GRU funds earmarked for setting up the digital infrastructure necessary to engage in more hacking. And so like the, you know, incentive to actually improve things. Zero. I think in a nutshell, it seems like the Original boss of 29155 Just liked the idea of heck and Leak is my assumption. Got Steagall. Steagall recruited some other cybercriminals and they did like stuff. Yeah. But it seems like it's consistent with the Russian cyber or GRU culture or hacker culture of small, small cells. And they did that. Stegall's retired. The new boss of the hacking unit just doesn't care about hacking and is really just out for himself. And there's this great paragraph, the married GRU bosses affair. This is Puntus was not his first extramarital escapade by far. In fact, Roman Puntas work phone number registered in the COVID identity of Roman Panov is listed as a regular contact with more than seven VI escorts in Moscow can be seen from Russian phone sharing apps like this. This whole sentence doesn't make sense to me. Like you're using your work phone to contact.
Grok
Well, you don't want your wife to see it. You wouldn't use your personal phone.
Tom Muran
Oh, okay, yeah, that makes sense. One of the descriptions of Pontus in one prostitute's phone book is military but generous. Drives you home in his Chevrolet.
Grok
Great cover. You know, excellent, excellent job not letting everyone know that you're military intelligence.
Tom Muran
And so that that kind of anecdote right at the end of the piece kind of makes everything else make sense in that it's just, you know, anything goes, whatever, everyone's out for themselves.
Grok
It does feel like there's this early boss who goes like, let's do some hack and leak. That sounds good. Like everyone else is doing it. Let's get into cyber. That's going to be a growth industry for us. I'll get a promotion, we'll get some medals, you know, whatever. He gets the Stigle guy, and he lucks out because Stigol is the Jack of all trades, right? He does all sorts of stuff. So Stigol gets some wins, they build things up. This becomes a real part of the unit. Like there's an actual cyber thing going on. Stigol taps out, and the guy who takes over has sort of inherited this goose that's laid golden eggs and is full on, you know, golden egg for me time.
Tom Muran
Yes. He's reaping what someone else sowed.
Grok
Yeah.
Tom Muran
And it's, you know, in a good way. I mean, the whole thing just sounds totally alien from my point of view. It's, like, got the exact opposite of good governance written all the way through it. And it would be just inconceivable to this sort of thing to happen in the organizations I've worked in or know.
Grok
I feel like they maybe don't have robust oversight.
Tom Muran
I think it's like they don't have robust oversight, but they've got a lot of vodka.
Grok
Thanks a lot, Tom.
Tom Muran
Thanks God.
Podcast Title: Risky Bulletin
Host/Author: risky.biz
Episode: Between Two Nerds: How Russia's Sabotage Team Got into Hacking
Release Date: June 9, 2025
In this episode of Risky Bulletin, hosts Tom Muran and Grok delve into a compelling investigation reported by The Insider magazine, uncovering the evolution of Russia's infamous sabotage team, Unit 29155, and its foray into cyber operations. Drawing on the expertise of Christo Grotsev, a former member of Bellingcat, the discussion provides an in-depth look into the clandestine activities of Russian military intelligence (GRU) and their transition from traditional sabotage to sophisticated cyber tactics.
Tom Muran begins by contextualizing Unit 29155's notoriety, referencing their link to the attempted assassination of Sergei Skripal in Salisbury using a nerve agent. This operation, as Grok notes, inadvertently involved two innocent GRU agents who were coincidentally present in Salisbury, highlighting the unit's operational risks.
Tom Muran [00:03]: "...specifically this unit known as unit 29155. So it's Russian military intelligence, the GRU..."
Grok adds a humanizing yet ironic touch by empathizing with the GRU agents caught in the Skripal incident, underscoring the unpredictable nature of intelligence operations.
Grok [01:39]: "And two innocent GRU agents who happen to be in Salisbury..."
The core of the discussion centers on the Insider's year-long investigation into Unit 29155's transition into cyber operations. Tom Muran highlights the article's revelation of how the unit leveraged leaked emails, social media interactions, phone records, and unprotected server logs to sustain their cyber activities. The hosts express astonishment at the unit's poor operational security (OPSEC), particularly their use of platforms like VK (Russia’s Facebook equivalent) for sensitive communications.
Tom Muran [02:36]: "In recent times there's been more reporting about how they're doing cyber stuff. And to me it was always entirely a mystery..."
Grok underscores the incongruity of traditional sabotage operatives engaging in cyber tactics, typically the domain of "keyboard warriors."
Grok [02:54]: "Those are not usually two things that go together..."
A significant portion of the episode explores how Unit 29155's recruitment strategies diverge from conventional GRU and intelligence norms. The unit began with cybercriminals like Tim Stegall, an ethnic Chechen with a background in cybercrime, who transitioned into a GRU operant role. Grok points out the missing links in their recruitment process, suggesting gaps in organizational oversight.
Grok [05:50]: "Like, there's definitely something missing there."
As the unit expanded, they incorporated individuals from unconventional backgrounds, including participants from capture-the-flag competitions, indicating a shift towards leveraging diverse cyber skills.
Tom Muran [12:09]: "They were able to sell it internally as a we want more."
The discussion shifts to key figures within Unit 29155:
Stegall is portrayed as the progenitor of the unit's cyber endeavors. A former cybercriminal, he was instrumental in initiating hack-and-leak operations, such as the significant breach of Qatar's state bank. The operation aimed to expose the Qatari royal family's financial dealings, meticulously structured to direct focus towards specific intelligence operations.
Tom Muran [07:09]: "He pulled out the dealings of the Qatari royal family..."
Following Stegall's retirement or removal, Roman Puntas took over leadership. Grok criticizes Puntas for lacking genuine interest and expertise in cyber operations, viewing him as self-serving rather than mission-driven.
Tom Muran [15:03]: "The boss wanted to get into Hack and Leak..."
Grok [16:17]: "That sounds like every IT boss ever."
The hosts highlight Puntas' mismanagement, including unethical practices like funneling GRU funds to his mistress under the guise of corporate operations, reflecting a lack of discipline and oversight within the unit.
Tom Muran [33:21]: "He sets up his mistress as an employee or a contractor for 29155..."
The conversation underscores numerous operational failures stemming from poor tradecraft and insufficient OPSEC measures. Examples include:
Poor Digital Hygiene: The unit's reliance on unprotected servers and burnt emails left behind actionable intelligence trails.
Grok [08:43]: "The server fell off the back of a truck. Is that what happened?"
Ineffective Operations: Low-impact sabotage activities, such as paying individuals for graffiti or failed assassination attempts due to inaccurate targeting, demonstrate the unit's operational inefficiency.
Tom Muran [19:43]: "There is a story here about a particular firebombing..."
Inadequate Information Operations: The unit’s attempts to manipulate information through a Bulgarian journalist were hindered by the journalist’s limited influence and the niche nature of the leaks.
Tom Muran [13:09]: "Her reporting became the bedrock of official Russian government claims..."
Muran and Grok compare Unit 29155's artisanal, cell-based structure to more industrialized and hierarchical intelligence organizations like the ASD and NSA. While Unit 29155 benefits from flexibility and initiative, it suffers from limited resources, lack of coordination, and internal competition, hindering large-scale effective operations.
Grok [26:29]: "Artisanal cyber espionage as opposed to industrial."
The hosts argue that this fragmented approach limits the unit's capacity to execute impactful cyber operations, contrasting sharply with well-resourced intelligence entities that can sustain extensive campaigns.
The episode concludes by reflecting on the broader implications of Unit 29155's operational model. The unit's reliance on small, autonomous cells with minimal oversight fosters an environment where personal agendas overshadow collective objectives, leading to inefficiencies and ethical breaches. This structure not only hampers effective cyber operations but also undermines the unit's credibility and alignment with Russian national interests.
Grok [35:38]: "It's just, you know, stuff to happen in the organizations I've worked in or know."
Muran encapsulates the critical takeaway by emphasizing the unit’s departure from disciplined governance, attributing it to a culture of autonomy and lack of robust oversight.
Tom Muran [36:44]: "It's, like, got the exact opposite of good governance written all the way through it."
Tom Muran [02:36]:
"In recent times there's been more reporting about how they're doing cyber stuff. And to me it was always entirely a mystery..."
Grok [08:43]:
"The server fell off the back of a truck. Is that what happened?"
Tom Muran [13:09]:
"Her reporting became the bedrock of official Russian government claims..."
Grok [26:29]:
"Artisanal cyber espionage as opposed to industrial."
Tom Muran [36:44]:
"It's, like, got the exact opposite of good governance written all the way through it."
This episode of Risky Bulletin offers a nuanced exploration of how an ostensibly traditional sabotage unit like GRU's Unit 29155 has ventured into the murky waters of cyber operations. Through incisive analysis and engaging dialogue, Tom Muran and Grok shed light on the unit's internal dynamics, operational challenges, and the broader implications for Russian intelligence capabilities. The discussion serves as a crucial reminder of the complexities and inherent risks associated with blending traditional espionage with modern cyber tactics.