From Group to Individual: Modeling InformNapalm’s Article on Sergey Morgachev of APT28

by savage | 2023-06-28


In April 2023, InformNapalm profiled Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer in Unit 26165 of the Main Intelligence Directorate of the General Staff of the Russian Army (GRU), which multiple sources have assessed to be responsible for cyber activity associated with APT28. The report was based on information provided by individuals calling themselves the Cyber Resistance, who had gained access to Morgachev’s email and various other online accounts, including a social media profile, e-commerce account, and an account with a Russian government service portal. Capturing this information within Synapse not only allows us to ask and answer questions about this individual, but also understand how they connect to other previously modeled data such as threat clusters and organizations.

Who is Sergey Alexandrovich Morgachev?

Prior to InformNapalm’s report, publicly available information about Morgachev was primarily limited to that included in the US Department of Justice's 2018 indictment of Morgachev and eleven of his compatriots for, among other things, conspiracy to commit an offense against the United States through their efforts to interfere with the 2016 presidential election. The indictment noted that Morgachev was a Lieutenant Colonel in the Russian military and supervised a team within Unit 26165 of the GRU that was responsible for developing and managing malware used in operations.

InformNapalm’s publication of Morgachev’s emails and personal documents provides access to much more granular information about Morgachev, including that gleaned from his:

  • Passport

  • Curriculum Vitae

  • Driver’s license

  • Security clearance forms

  • Email correspondence

  • Social media and online accounts

  • Notes on Cobalt Strike patches

Capturing this information in Synapse allows us to answer questions such as:

What contact information did InformNapalm release for Morgachev (note that this would include instances of contact data found on his passport, license, documented places of employment, and other data with records of address)?

media:news:publisher:name="informnapalm" -(refs)> ps:contact +:name^=serg
_images/contact.webp

What contact information did InformNapalm include for his wife?

media:news:publisher:name="informnapalm" -(refs)> ps:contact +:desc~=wife
_images/wife.webp

Where does Morgachev work? What jobs has he held previously?

ps:contact:name~=morgachev -> ps:workhist
_images/workhist.webp

Which of Morgachev's email correspondence did InformNapalm include in their article? Did any contain an embedded URL?

media:news:publisher:name="informnapalm" | tee {-(refs)> inet:email:message:to=mor_s@mail.ru} {-(refs)> inet:email:message:link}
_images/email.webp

Does Morgachev have a driver's license? Does he have a car, and if so, what do we know about its registration?

ps:contact:name~=morgachev | tee {-> transport: land:license} {-> transport:land:vehicle} {-> transport:land:registration}
_images/car.webp

Where did Morgachev go to school and during what timeframe?

ps:contact:name~=morgachev -> ps:education
_images/edu.webp

The Bigger Picture

Modeling data from InformNapalm’s report enables us to answer specific questions about Morgachev, while other, previously captured information from indictments and other sources helps to reveal additional context and allow analysts to see the bigger picture. Here are some examples of additional questions we might ask:

InformNapalm notes that Morgachev worked with GRU Unit 26165 - what other individuals do we know of who also worked in that same unit?

ps:contact:orgname^="military unit 26165" +:name -:name~=morgachev
_images/26165.webp

Based on our other modeled data, it looks like we have an address for Unit 26165. Where was that unit located?

ou:org:name^="military unit 26165" :hq -> ps:contact -> geo:place
_images/map.webp

InformNapalm notes that this unit is frequently associated with the threat group APT28 - what nodes have we tagged as associated with APT28 activity?

ou:name=apt28 -> risk:threat :tag -> syn:tag -> *
_images/iocs.webp

InformNapalm also noted that Morgachev currently works at a company called the Special Technological Center. What do we know about this organization?

ou:name^="special technological center" -> ou:org
_images/stc1.webp

This query lifting the ou:org node representing the Special Technological Center shows that the node is tagged with #rep.ustreasofac.cyber2. Based on the :doc strings for that syn:tag node, we know that the #rep.ustreasofac.cyber2 tag is used to identify organizations that the US Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned as part of a program called CYBER2:

ou:name^="special technological" -> ou:org ->#
_images/stc2.webp

For more information, we can pivot to query for any media:news nodes referencing the Special Technological Center. Our query lifts nodes representing the Executive Orders, as well as InformNapalm’s article:

ou:name^="special technological center" -> ou:org <(refs)- media:news
_images/ofac.webp

From Morgachev to the GRU

In this blog we used Synapse’s data model to capture information about a specific individual, allowing us to answer questions about his educational background and work history, contact history, and official documentation, among other details. We were also able to pivot from the InformNapalm-reported data to see how Morgachev related to other data we had previously modeled within our Synapse instance, such as information about other members of GRU Unit 26165, as well as additional information about the Special Technological Center.

Synapse is designed for use across various disciplines as well as levels of analysis. In this example, we initially focused on very detailed information specific to an individual, before broadening the scope of our focus to examine how this individual fit into other information we know about related organizations, threat activity, and even US sanctions programs. Taking advantage of the depth and breadth of Synapse’s data model not only supported our analysis at those two different analytical heights, but also allowed us to pivot between the two when asking and answering questions about the data.

To learn more about Synapse, join our Slack Community, check out our videos on YouTube, and follow us on Twitter.