On Friday, the New York Times broke the explosive story that a unit of Russia’s military intelligence—Unit 29155 of the GRU—had allegedly offered bounties to militants in Afghanistan to kill U.S. troops. The GRU, Russia’s military intelligence agency, has emerged as a key player in Moscow’s efforts to sow chaos around the world, including the operation to hack and release emails from Hillary Clinton’s 2016 presidential campaign.
Unit 29155, accused of offering bounties to Taliban-linked militants, has spearheaded some of Russia’s most brazen overseas operations in recent years—or at least the ones we know about, from the attempted coup in Montenegro in 2016 to the botched effort to assassinate former Russian spy Sergei Skripal in England.
It’s not clear how the U.S. intelligence community was able to tie the operation back to Unit 29155. Information about the bounty plot, which was included in the president’s daily intelligence briefing early last year, is filtering into the press in bits and pieces. On Tuesday the Times reported that the assessment was backed up by evidence of bank transfers between bank accounts linked to the GRU and the Taliban.
While Unit 29155 is often described as secretive, its tradecraft has at times been sloppy, including implausible cover stories and repeated use of the same aliases. Using leaked passport records, flight passenger data, and databases of border crossings, journalists and open-source investigators from groups such as Bellingcat and the Russian outlet the Insider have been able to use this trail of breadcrumbs to build a remarkably detailed picture of the unit and its members.
Bellingcat’s findings have been “consistently accurate,” said Marc Polymeropoulos, who formerly oversaw the CIA’s operations in Europe and Eurasia before retiring from the agency last year. “Since it was open source, it enabled us to discuss the GRU activities more openly, particularly with foreign liaison services.”
What exactly is the GRU?
Russia has three main intelligence agencies: the Foreign Intelligence Service (SVR), the Main Intelligence Directorate (GRU), and the Federal Security Service (FSB), the most powerful of the three. All three are involved in foreign operations, but it’s the GRU that has the necessary audacity to attempt complicated, high-stakes operations. “The GRU was always seen as a little more thuggish. They are tasked to do all of these things but their tradecraft is not great,” Polymeropoulos said.
How did a unit in an intelligence agency get to be so visible?
Unit 29155 is thought to have operated for at least a decade, but it wasn’t until its agents attempted to assassinate former Russian spy Sergei Skripal in 2018 that intelligence agencies and investigative reporters were able to gradually map out the group’s membership and their involvement in other Russian operations in Europe.
In early 2018, two Russian men operating under the aliases Alexander Petrov (later revealed to be Alexander Mishkin) and Ruslan Boshirov (whose real name is Anatoliy Chepiga) sprayed the deadly nerve agent Novichok on the door handle of Skripal’s home in Salisbury, England. Six months later, British prosecutors had enough evidence to identify the men as agents of the GRU and to charge them with attempted murder. The pair’s movements had been picked up by the U.K.’s plentiful closed-circuit TV cameras from the moment they stepped off an Aeroflot flight from Moscow.
A little over a week later, Petrov and Boshirov appeared on the Russian state-controlled TV channel RT to claim that they were but humble fitness instructors who flew to the U.K. for a weekend to travel to Salisbury not once, but twice, to see the city’s cathedral.
Once the photos of the pair were released, digital sleuths at the open-source investigative group Bellingcat were able to piece together their identities. Knowing that they were GRU, they scoured the website and yearbooks of a GRU training academy in Siberia that, given their age, the men likely attended. There, they found a photo of Chepiga in Chechnya in an article posted on the academy’s website in 2018, which noted that graduates of the academy had gone on to receive the “Hero of Russia” award, Russia’s highest military honor. It was this detail that led them to Chepiga’s true identity. Passports of GRU aliases will often use the same first name, patronymic—a name derived from the name of a person’s father—and date of birth as the agent’s true identity. Working on this assumption, Bellingcat researchers were able to find Mishkin’s real name and identity in leaked databases of Russian passport records.
The sloppiness of the operation, especially the use of a Soviet-developed nerve agent, led a number of experts to conclude that it was meant to be traced back to Russia. “They wanted to send a signal that this is what happens to defectors,” said Andrea Kendall-Taylor, a former deputy national intelligence officer for Russia and Eurasia at the National Intelligence Council. It was the discovery of a third accomplice, who traveled under the alias Sergei Fedotov, that led to the discovery of Unit 29155. His involvement was first reported by the St. Petersburg news outlet Fontanka.
The travel history of Fedotov, whose real name is Denis Sergeyev, revealed that he had been part of a team dispatched to the capital of Bulgaria in 2015 to poison local arms dealer Emilian Gebrev. The case had been closed by investigators in Bulgaria. But details of the assassination attempt served as a “Rosetta stone” for Western intelligence agencies, reported the New York Times, which enabled them to decipher the unit’s activities. In 2016 the unit attempted to orchestrate a coup in Montenegro, which at the time was on the brink of becoming a NATO member state. Last year the high court in Spain, the Audiencia Nacional, opened an investigation into the unit’s alleged connection with a 2017 independence bid by the Spanish region of Catalonia.
Using flight records, passenger data, and a database of Russian border crossings, researchers at Bellingcat were able to reveal that Sergeyev traveled frequently to Europe, Central Asia, Ukraine, and the Middle East between 2012 to 2018 under his persona of Sergei Fedotov. The purpose of the majority of these trips is still unknown.
“We only know the failures, because they fail a lot. They may be doing a lot of other things that we don’t know about,” said Aric Toler, who heads up Bellingcat’s investigations in Eastern Europe.
Much of the unraveling of the GRU unit’s activities was made possible by the fact that there is a booming trade in hacked and leaked data in Russia. “The Russians have an issue with the fact that you can basically buy any information. It’s kind of a perverse fact that Russia is very transparent in this way,” said Mark Galeotti, a senior associate fellow at the British-based Royal United Services Institute. Databases of flight records, customs data, passport information, and car registrations have been instrumental in the work of journalists and researchers piecing together the activities of Russian intelligence operatives abroad.
Why are the Afghan bounties such a big escalation?
U.S. President Donald Trump insists that the story is basically a fabrication—doubling down on charges of “fake news” on Wednesday despite multiple independent confirmations of the Times report—but former intelligence officials agreed that the fact that the assessment made its way into the president’s daily briefing reflects a high degree of confidence.
“If an assessment was made and it made it to the PDB there would have to be pretty significant confidence and cohesion in the intelligence community views on this,” said Kendall-Taylor, now a senior fellow with the Center for New American Security.
It’s not clear why the Taliban would need a financial incentive from Russian intelligence services to kill U.S. troops, whom they’ve fought for decades. But the alleged bounties represent a significant escalation in Russia’s efforts to directly target American interests. It’s not yet clear yet whether the Kremlin intended the payments to the Taliban to be discovered, knowing that it would sow further discord in the United States. Kendall-Taylor said that while not all operations carried out by the unit are intended to be traced back to them as the Skripal case was, that GRU was also unlikely to put secrecy ahead of its objectives.
While the Russian security services have been brazen in their efforts to kill critics, defectors, and former Chechen fighters abroad, this is a big shift. “They’ve always been very careful about Americans because they know there’s a massive price tag on dead Americans,” Galeotti said. U.S. forces have similarly made “painstaking efforts” to avoid hitting Russian troops in Syria, Kendall-Taylor noted.
Trump’s failure to respond to the intelligence has prompted a firestorm of criticism in Washington from both parties. On Wednesday, Republican Sen. Chuck Grassley described the revelations of Russia’s actions as a “serious escalation” that “demands a strong response.” In contrast, when Iran downed an unmanned U.S. drone last year, Trump nearly responded with an attack, but didn’t. When Iran killed a U.S. contractor late last year, he ordered the killing of a top Iranian general, Qassem Suleimani.