Document Find, was it the GRU?

Document Find, was it the GRU?

With the latest embarrassment linked to Porton Down Philip Ingram MBE asks, the document find, was it the GRU?

At one-minute past midnight on 4thOctober 2018 a statement came out from the British Government saying that the National Cyber Security Centre (NCSC) had “identified that a number of cyber actors widely known to have been conducting cyber-attacks around the world are, in fact, the GRU.”

The GRU is the Russian Military Intelligence organisation also known as the Main Intelligence Directorate who have been accused of being responsible for the assassination attempt on Sergei Skripal in Salisbury in March last year and causing the death of Dawn Sturgess.

Colonel Anatoliy Chepiga and Colonel Dr Alexander Mishkin had flown into Gatwick on 02 March and out of Heathrow on 04 March 2018, having been seen in Salisbury on Saturday 03 and again on Sunday 04 March when Sergei Skripal was contaminated by Novichok being placed on the handle of the front door of his house.

Sergey Naryshkin, the head of the Russian Foreign Intelligence the SVR said in October,“Even if one assumes that some secret service was really given such a mission, the way it handled this case was very unprofessional.” Philip Ingram MBE a former Colonel in British Military Intelligence believes rather that his statement being a Russian denial of Salisbury, it was a swipe at the GRU.  “There is no love lost between the GRU and the SVR especially when it comes to competing for resources and influence,” Ingram said.

Then in November 2018 Victor Korobov, the head of the GRU died at the age of 62 supposedly after a “long and difficult illness.”  He had been on sick leave ever since a dressing down by President Putin after the expose of GRU activities in Salisbury, outside the OPCW in the NL and the Bellingcat revelations of wider GRU activities.

The one thing that clearly comes out of this is the GRU were bruised, bruised operationally and their ego was deflated. As an organisation they had something to prove, that something was they could still operate.

Since then we have heard of Wiltshire Council computers suffering a cyber attack (The GRU operate Russia’s cyber capability), Gatwick Airport suffered a cyber attack, a mysterious and large Russian flag was unveiled on scaffolding on Salisbury Cathedral, Gatwick Airport was closed for 36 hrs through drone incursions which both Philip Ingram and Sir Gerald Howarth, David Cameron’s international security minister, assessed could have been done by the Russians and now we have classified documents relating to staff at Porton Down being found in a recycling bin in North London.

One thing an intelligence professional will look for is a pattern, and there is a very clear pattern of activity aimed at embarrassing Wilts council and the people of Salisbury, Gatwick who had pictures of the GRU team arriving, Porton Down and through to all the UK Government. That pattern of activity points towards an intent.

The second question an intelligence professional asks is if they have the capability. That is easier to confirm. The GRU are responsible for Russia’s national cyber capability.  The Bellingcat investigations have exposed their global travel carrying out operations. Philip Ingram believes even Salisbury will have a longer term focus as he highlighted in his blog

Putting all of this together we have a strong possibility that the documents discovered by an individual in a recycling bin, reportedly from or related to Porton Down and passed to a national newspaper and not the police, were compromised and put there by a GRU team to embarrass Porton Down. Ingram’s spooks paradise blog looks even more credible! 

Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Offficer who was based near Salisbury in the past. If you would like any further comment from Philip, please contact him by clicking HERE

The Skripal Investigation, the next revelation.

The Skripal Investigation, the next revelation.

The Skripal Investigation, the next revelation.

On Saturday The Guardian Newspaper published a story which said: “The Russian men suspected of poisoning Sergei and Yulia Skripal in Salisbury received a phone call after returning to London on the day of the alleged attack, raising the possibility that a backup team played a role in the operation.

One theory being considered by investigators is whether the call, which has not been disclosed before, was a signal to tip them off that the operation had been a success.”

So, what does this mean, how significant is it and is there more we can deduce from this new snippet released by the Metropolitan Police?

It gives an understanding to more detail that could be out there, and yes, it is very significant, so lots more can be deduced! Philip Ingram MBE a former British Military Intelligence Officer explains some of the things that the investigators will have and what this means.

The first thing that this statement confirms is the probable existence of a second team. This is something that the Grey Hare Media team have been saying over and over again in the numerous Skripal related Grey Hare Blogs, the last of which is here:

What it does suggest is that the second team (and there could even have been a third) were there during the operation carried out by Chepiga and Mishkin and remained there afterwards. They were providing overwatch and checking to see if the operation was a success.  Although it is a bit of a speculative jump, there is a possibility they are part of a clandestine Russian unit permanently in the Salisbury area (suggested here: However, it is unlikely that anyone involved in deep cover operations would get involved in something so dynamic, unless resources were scarce. 

It could also explain the ‘sealed’ bottle of Novichok that Charlie Rowley found some time later. There could have been a second bottle left as a back-up in case the first attempt failed. 

The next thing it confirms is that Chepiga and Mishkin has a phone they used on the operation. This is almost certainly a UK pay as you go, unregistered “burner” phone and the fact they received a “phone call”, rather than a call being made over a secure App such as Threema or WhatsApp, would suggest the phone wasn’t a smart phone. This would make sense as smart phones, with their built in GPS capabilities, are much easier to track once identified. 

So how would they have identified the phone?  Well, all phones operate using a SIM card and each SIM card has a unique International Mobile Subscriber Identity (IMSI) number which consists of the users account number, network code and telephone number. There is a second number, and this is the International Mobile Equipment Identity, (IMEI) number that relates to the handset and remains the same even if the SIM is changed. 

When mobile phones are switched on, they transmit these numbers to local phone cells to “check in” and do the same each time they make a call.   The mobile network is divided into a series of cells with a base station at the centre of each cell and they can hand calls across to each other, giving seamless coverage to the user. 

If the police have identified a call being made it means they almost certainly know the IMSI and IMEI numbers linked to that call and to all other calls to and from that handset or SIM. The GRU network will have likely been identified.

The police will have been looking at base station activity corresponding with the times Chepiga and Mishkin were on their train journeys, in Salisbury, other travel rotes they will have taken in London and near their accommodation in London to see if they could identify on IMEI or IMSI number that was consistent and ideally both.  The huge amounts of data they will have had to crunch through to do this is unimaginable but shows the effort that is being put in to the Skripal Investigation. It is highly probable that the computing power of the government listening agency, GCHQ will have been used for this part of the investigation. 

With this information, a more detailed understanding of the movements of the GRU officers and any associates who they have communicated with can be deduced if the phones and SIMs have been connected to the network more than one time only. 

With this level of detail going into the investigation, there is a lot more yet to be exposed.

Note: This blog is written by Philip Ingram MBE, a former British Military Intelligence Officer and Colonel, who was based near Salisbury in the past. If you would like any further comment from Philip, please contact him by clicking HERE

Skripal and Salisbury an infamous combination

Skripal and Salisbury an infamous combination

Skripal and Salisbury an infamous combination

It is now a year since Colonel Dr Alexander Mishkin and Colonel Anatoliy Chepiga, traveling under the false identities of Alexander Petrov and Ruslan Boshirov, both members of the Russian Military Intelligence Service, the GRU, entered Britain through Gatwick airport. They had a deadly intent, kill the double agent who was living in the sleepy city of Salisbury, Sergei Skripal, using the deadly nerve agent Novichok.

Their mission was a simple one but had been carefully planned. Sergei Skripal’s daughter Yulia was landing at Heathrow airport to visit her father and be with him on what would have been her late brother Alexander’s birthday. Her emails and probably her phone, were being monitored by Russian intelligence and they would have known her arrangements in detail.

After checking into a cheap East End of London hotel Mishkin and Chepiga waited until the next morning to take the train to Salisbury from Waterloo, to carry out a final ‘close target recce’ of Sergei Skripal’s house in Christie Millar Road.

Their detailed movements in Salisbury that day have not been revealed completely but it is probably that, in their possession they had a detailed ‘pattern of life’ study on Sergei Skripal, possibly delivered to their hotel, so they knew his normal routine. They knew he left his house through the front door, not the side or back door, they knew he pulled it shut by the handle, not the door frame, they knew everything about him because others will have spent time watching him closely, studying his movements, reading his emails, listening into his phone conversations.

Mishkin and Chepiga’s trip to Salisbury on Saturday 3rdMarch 2018 would be to confirm the route to take to Sergei Skripal’s house from Salisbury Station, look for signs of him being watched by British Intelligence, confirm their escape plan and possibly meet with at least one member of the team that carried out the ‘pattern of life study,’ before returning to London.

Early on Sunday 4thMarch, Mishkin and Chepiga return to Salisbury with a fake Nina Ricci Premier Jour perfume bottle filled with deadly Novichok in Russia having replaced the cap with a special applicator that morning. On arrival in Salisbury they quickly retrace the route they checked out the day before and approached Sergei Skripals house to smear the deadly agent onto his front door.

Whilst it is possible it was dispensed directly from the modified perfume bottle the danger of ‘splash back’ would have meant putting it onto a wipe and smearing that onto the door handle would be safer; we don’t know if this is what they did.  Both Mishkin and Chepiga will have been wearing protective gloves and it is probable that Mishkin carried self-injecting epi pens filled with a nerve agent antidote, atropine, just in case anything went wrong.

This is where their movements become a bit of a blur. At some point they will have taken their contaminated gloves off and disposed of them, that is probably the point they dropped the fake Nina Ricci Premier Jour perfume bottle and exactly where all of this happened is not known publicly yet, neither are the details of their movements around Salisbury before catching the train back to London and then to Heathrow. How and where they disposed of their contaminated gloves has never been mentioned and the fate of the fake Nina Ricci Premier Jour perfume is too well known when Charlie Rowley gave it to his girlfriend Dawn Sturgess on 30thJune 2018 and she sprayed its contents onto her skin, exposing herself to a lethal dose of Novichok.

Just after the attack on 15thMarch 2018, I asked the MET police who had taken over the investigation, what had happened to the items the ‘would be’ assassins had used and was met with silence, I published my concerns here: in the Sunday papers. Statements from Public Health England said the risk to the public was very low, Dawn Sturgess paid with her life months later.

The detail of where Charlie Rowley found the contaminated perfume bottle and when he found it are unclear. It is distinctly possible he found it in early March and put it in his bag, forgetting it was there until he unpacked after moving into new accommodation from a homeless shelter in June.

I now repeat my question, what happed to the gloves they will have worn? I suspect they were put in a local bin and the next day taken by the council to landfill so are now safely disposed of, but no one has said.

Why Sergei Skripal?

The most important point to start with is the reason for the attack on Sergei Skripal. It was not done first and foremost to kill him, it was assumed, given the deadly nature of Novichok, that he would die. However, if that were the sole motivation then he would have been shot, stabbed or had a car accident. Sergei Skripal was a vehicle used to send a message to any Putin dissenters across the globe that he could get them anywhere, any time and in a horrible way. Prime Minister May hinted to this in an answer to a question after her statement in the House of Commons on 5thSep 2018.

The second reason was to stir a nationalistic fervour into his Presidential campaign domestically by having a reason to say the west was attacking poor Russia.  Remember the attack happened exactly 14 days before the Russian Presidential election and opposition parties and oligarchs were becoming more threatening to Mr Putin’s position and his desire for an increased majority.

Sergei Skripal was chosen because Salisbury in next to DSTL Porton Down, the UK’s chemical defence laboratory and this allowed an element of plausible deniability where President Putin could claim that this was set up to undermine him in the eyes of the international community.

Of note, this is exactly the messaging that came out in the immediate aftermath of the attack. The Russians have a doctrine called маскировка (maskirovka) which is all about ‘masking’ or deception and is central to all they do.  The Russian people have an unhealthy belief in conspiracy theories and that the west is out to get them no matter what and this played into President Putin’s domestic messaging.

Putin and the GRU will have been surprised at the tenacity of the UK’s counter-terror police and Security Services investigation and the level of detail they have managed to ascertain. The public exposure of Mishkin and Chepiga by the investigative website Bellingcat will have severely embarrassed the GRU.

Sergei and Yulia Skripal will now be under the protection of MI5 and being held safely out of the public eye. They will be receiving further medical support for their physical and mental symptoms. Their futures will be being discussed with them and they are an integral part of any and all decisions about what happens next. For Yulia, a complete innocent who had a bright career and future, it must be particularly hard.

What are we missing?

We are missing detail what the police believe happened to other contaminated items, we are missing detail around the movements of Mishkin and Chepiga around Salisbury, very little footage from the city’s new £450,000 public space CCTV has been released, we are missing details of the team that will have carried out the pattern of life study, we are missing details of what Mishkin and Chepiga did in London.

However, we have to remember there is a politically sensitive, highly complex live murder investigation ongoing, so it is unlikely much of this detail will be released because we don’t need to know. A comment on the contaminated detritus to build further public confidence would be good however.

We have to recognise the huge effort the police, security service, ambulance, fire and rescue, NHS, military personnel, DSTL scientists, civilian security staff and council workers have put in to deal with every aspect of this ongoing spy story. If it were not for their professionalism and coordinated effort there would almost certainly be more deaths and much longer lasting consequences for Salisbury and its surrounds.

Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Officer and Colonel, who was based near Salisbury in the past. If you would like any further comment from Philip, please contact him by clicking HERE

Santa hacked again

Santa hacked again

Santa hacked again – Grey Hare spies investigate the latest.

In the run up to Christmas there are always incidents that bring joy, bring concern and bring worry.  HMS Big Lizzie returned to her home port after successful sea and air trials started last year just before Christmas when she was used as a to secret FOB for Santa, as reported by the Grey Hare Media team here:

However, in the year the new General Data Protection Regulation came into force, we were reminded of Santa’s vulnerability given the amount of data he has in his databases. He knows the name and address of every child across the globe. He has details of who has been good and who has been naughty, his naughty list is one of the most comprehensive global databases, and it was hacked!

Now there are a few things that we need to know about Santa and the Grey Hare spies have been hunting to bring them to you. He has 31 hours of Christmas to work with thanks to the different time zones and the rotation of the earth and according to observations from the International Space Station he travels east to west.

The North American Aerospace Defense Command (NORAD)have a special SANTA tracking facility that is made ready once a year to ensure that SANTA is kept safe and should there be any mishaps, then the right help can be provided quickly.

This joint US/ Canadian facility will not be affected by President Trump’s government shutdown. It is a vital global service ensuring the safety of happiness and joy.

What NORAD have conferment is that Santa makes 822.6 visits per second allowing him 1/1000th of a second to park, hop out of the sleigh, jump down the chimney, fill the stockings, distribute the remaining presents under the tree, eat whatever snacks have been left, get back up the chimney, get back into the sleigh and move on to the next house….. phew…..

So, the chances of children seeing him are very remote, however, he has specialist stealth technologies that keep him invisible, but that seems to have been compromised.

Santa’s sleigh moves at 650 miles per second, 3,000 times the speed of sound. This makes Rudolf a very special type of reindeer as a conventional reindeer can run at a maximum of about 15 miles per hour. His defining feature is his red nose but at 650 miles per second and with special stealth technologies, only Santa and the other reindeers should be able to see it.

However, the Grey Hare spies’ team have been informed that Santa’s stealth technology was hacked at the same time his naughty list was. This has only just come to light when Gatwick Airport was brought to a standstill over drone incursion incidents.  What people don’t realise is that just before Christmas each year Santa has a series of practice runs to let his reindeers stretch their legs and confirm they still remember where to go. Part of their emergency plans are landing (covertly) for quick repairs so present delivery can continue. The Grey Hare spies saw HMS Big Lizzie being used last year, however, a regular conventional stop is Gatwick Airport amongst other global airports.

This is not widely publicised as at 650 miles per second, using Santa and Rudolf’s specialist anti-collision device (the red Nose) he is usually in and out between flights without being noticed. This year was different, something clearly blocked the red nose stealth tech making it visible and concerned staff will have reported it as a possible drone incursion. Santa’s security team believe this may have been a deliberate act by the GRU to say “Bah Humbug” for embarrassments they have suffered this year.

Severely embarrassed at disrupting flights for his adoring fans coming to the North Pole to visit him, as well as those off on holiday, Santa has refused to comment on this latest embarrassment.  Luckily, under his beard, and with his red suit, no one had noticed the gentle flush of his face going red.

What is critical is that his operations on 24thDec delivering presents goes ahead – so appeals have been made to Elisabeth Denholm the Information Commissioner and the EU GDPR regulators not to investigate Santa too closely and to the Gatwick authorities, to realise he is really, really sorry!  He also appeals to the GRU and President Trump just to let him get on with his job and deliver joy not angst.

Follow his progress using NORAD’s live tracker here:





The GRU is on the Ropes

The GRU is on the Ropes

The GRU is on the Ropes

****Updated 1230 on 04 Oct 18*****

At one-minute past midnight on 4thOctober 2018 a statement came out from the British Government saying that the National Cyber Security Centre (NCSC) had “identified that a number of cyber actors widely known to have been conducting cyber-attacks around the world are, in fact, the GRU.”

The GRU is the Russian Military Intelligence organisation also known as the Main Intelligence Directorate who have been accused of being responsible for the assassination attempt on Sergei Skripal in Salisbury in March this year.

Since then, the British Prime Minister Teresa May has openly accused the GRU of their involvement in the attack, saying the two attackers, Alexander Petrov and Ruslan Boshirov had flown into Gatwick on 02 March and out of Heathrow on 04 March and these names were almost certainly pseudonyms.

The investigative journalism website Bellingcat went on to expose the real identity of the man who travelled under the name Ruslan Boshirov as Colonel Anatoliy Chepiga, a highly decorated GRU Officer who had received the Hero of the Russian Federation award in 2014.

In what Philip Ingram MBE a former British Colonel in British Military Intelligence believes is a swipe at the GRU the head of the Russian Foreign Intelligence Service, Sergey Naryshkin, when he said the Salisbury attack was “unprofessionally done.”

Almost sensing the GRU is ‘on the ropes’, openly outed for the Skripal attack, embarrassed by the ease with which investigative journalists with Bellingcat managed to expose serious flaws in the administration of their secret agents and expose the real identity of one of their highly decorated agents, linking him to Salisbury, for the first time, the UK authorities have come out fighting.

What is the GRU accused of this time?

The NCSC has attributed a number of recent attacks to the GRU.  The October 2017, BadRabbit ransomware attack encrypted hard drives and rendered IT inoperable.  This caused disruption including to the Kyiv metro, Odessa airport, but was almost an own goal as it also caused disruption at Russia’s central bank and two Russian media outlets. NCSC assess with high confidence that the GRU was almost certainly responsible.

In August 2017, confidential medical files relating to a number of international athletes, including the cyclist Sir Bradley Wiggins were released.  WADA stated publicly that this data came from a hack of its Anti-Doping Administration and Management system. NCSC assess with high confidence that the GRU was almost certainly responsible.

In 2016, the Democratic National Committee (DNC) was hacked and documents were subsequently published online. NCSC assess with high confidence that the GRU was almost certainly responsible.

Of interest in July 2018 the team of special investigator Robert Mueller named 12 apparent GRU officers over the alleged hacking and leaking of Democratic party emails.

Between July and August 2015, multiple email accounts belonging to a small UK-based TV station were accessed and content stolen. NCSC assess with high confidence that the GRU was almost certainly responsible.

This is not the first time the GRU has been accused.

In June 2017 a destructive cyber attack targeted the Ukrainian financial, energy and government sectors but spread further affecting other European and Russian businesses. The UK Government attributed this attack to the GRU in February 2018.  NCSC assess with high confidence that the GRU was almost certainly responsible.

In October 2017, VPNFILTER malware infected thousands of home and small business routers and network devices worldwide.  The infection potentially allowed attackers to control infected devices, render them inoperable and intercept or block network traffic

In April 2018, the NCSC, FBI and Department for Homeland Security issued a joint Technical Alert about this activity by Russian state-sponsored actors.

The Foreign Secretary, Jeremy Hunt said:

“These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.  This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The UK is not alone with accusing the GRU and last night the Australians came out to support the UK statement. Of note, the Australians are part of the 5 eyes community.  This is an intelligence-sharing community of the US, UK, Canadians, Australians and New Zealand.

Timing is of interest as it is almost certainly a swipe at President Putin, waning him off interfering with the US midterm elections due on 6thNovember 2018.

The UK Prime Minister said in Parliament on 5 September 2018, the UK will work with our allies to shine a light on the activities of the GRU and expose their methods.  Her dancing queen speech in Birmingham is turning into her Rocky Balboa attack on the GRU, for the first time she is taking the fight to the Russians.

The announcement this morning by the Major General Onno Eichelsheim from the Dutch MIVD intelligence service regarding the expulsion of 4 GRU agents who were targeting the OPCW in the Netherlands is significant in it shows the international community joining Teresa May in ‘the ring’  helping with the fight against the Russians in an unprecedented way.  Of significance, what is being exposed are some very bad ‘drills’ by the GRU operatives  and this reinforces Sergey Naryshkin comments that the Skripal attack was ‘unprofessionally done.’

Note: This blog is written by Philip Ingram MBE, a former Colonel in British Military Intelligence, who was based near Salisbury and has assessed Russian activity for many years. If you would like any further comment from Philip, please contact him by clicking HERE