Ukraine Hackers Hack Russian Intel Officer's Accounts, Extract Classified Documents

A group of Ukrainian hackers claimed to have hacked the email, social media and personal accounts of an officer of Russia's military intelligence service.

The Ukrainian hacktivist group known as Cyber Resistance extracted highly sensitive documents and personal details of Lt. Col. Sergey Aleksandrovich Morgachev, an officer of the Main Directorate of the General Staff of the Russian Armed Forces (GRU) and the leader of the notorious Russian government-backed hacking group APT28.

The hacktivists shared Morgachev's private correspondence with the Ukraine-based volunteer intelligence initiative InformNapalm, which then publicly released the data.

These included scanned copies of Morgachev's personal documents such as his passport, his driver's license, his latest medical certificate dated Dec. 13, 2022, and Form 4, a document required to receive security clearance to state secrets.

In Morgachev's Form 4, the Russian GRU officer listed the positions he held, including "Deputy Head of Directorate - Head of Department in military unit #26165" from August 1999 to August 2022.

Morgachev, a native of Kyiv, Ukraine, also listed his current position as a "Category 1 Programming Engineer" at Russia's Special Technological Center, which was sanctioned by Ukraine, the U.S., the U.K., Canada, Switzerland, Japan and several European Union countries for its role in supporting the Russian invasion of Ukraine.

InformNapalm also obtained from the hacktivists a copy of Morgachev's CV, which it said confirmed his role in the Russian military.

"He managed the special software development department. His duties included the personnel selection and control of the department work, distribution of tasks [and] interaction with other units," InformNapalm reported of Morgachev.

"That is, the CV indirectly confirms that Morgachev led a group of military hackers at the GRU," the report added.

Ukrainian hackers also gained access to the Russian officer's AliExpress account. They ordered several items to the address linked to his account, including souvenirs featuring the logo of the U.S. Federal Bureau of Investigation (FBI) and large shipments of adult toys.

The Ukrainian hacking group confirmed Morgachev's address, which is in the Russian city of Korolev in the Moscow region.

Cyber Resistance also uncovered an email from Apple to Morgachev in 2018 informing him that the FBI was requesting his account data due to his wanted status.

In July 2018, the U.S. Department of Justice indicted Morgachev and 11 other GRU officers affiliated with APT28 for hacking into the servers of the Democratic National Committee (DNC) during the 2016 presidential elections.

According to the DOJ, Morgachev "supervised the co-conspirators who developed and monitored the X-Agent malware implanted on those computers."

The indictment led the FBI to put Morgachev on its wanted list.

Morgachev's APT28 directly reports to the Russian military intelligence agency, according to the information security website HackRead.

The group carried out other cyberattacks against government and non-government targets in the U.S., Germany, Italy, Latvia, Estonia, the Czech Republic, Poland, Norway, the Netherlands and Ukraine.

APT28 was behind the phishing attacks against authorities investigating the 2014 Malaysian Airlines MH17 crash. The Russian hacking group was also accused of impersonating the Islamic State to send death threats to the wives of U.S. service members,