In this article, we will reveal all relevant personal information regarding this Russian officer and hacker wanted by the FBI. At the end of the publication, we will tell you how Ukrainian hacktivists creatively punished a Russian hacker by the method of “moral humiliation” by personally ordering goods on AlịExpress.
APT 28 and Lieutenant Colonel Morgachev
APT 28 (other common names – Fancy Bear, Pawn Storm) is one of the most famous Russian hacker groups, accused of many cybercrimes around the world. This structure is directly subordinate to Russian military intelligence. It has staged numerous cyberattacks targeting government and non-governmental targets in the United States, Germany, Italy, Latvia, Estonia, the Czech Republic, Poland, Norway, the Netherlands, Ukraine, and other countries. In July 2018, the US Department of Justice published an official accusation against 12 GRU employees of breaking the servers of the US Democratic Party and trying to interfere in the AMERICAN elections. It was established that this structure includes GRU officers serving in military units No. 26165 and No. 74455. Among the 12 names mentioned in the indictment, Lieutenant Colonel Sergei Morgachev also appears.
By the way, a letter from Apple for 2018 mor_s@mail.ru found at Morgachev’s mail, in which he is informed about the request for his account data received from the US Federal Bureau of Investigation in connection with the announcement of his wanted list.
Thanks to the hacking of his e-mail by hacktivists, it was possible to learn many interesting details both about Morgachev’s personal life and about the current place of residence and service in 2023.
It was also possible to obtain numerous photographs with scans of personal documents of Morgachev and persons associated with him.
Morgachev Sergey Aleksandrovich, was born on 22.05.1977 in Kiev, Ukraine. From 1994 to 1999 he studied at the FSB Academy in Moscow. From 1999 to 2022, he served in military unit 26165. Read more about his current duty station in 2023 in the article.
Citizen of the Russian Federation. New passport: 4622 608349, issued by the Ministry of Internal Affairs of the Russian Federation in the Moscow region on 12.07.2022. Registered and lives at the address: Moscow region, Korolev, Dekabristov street, 6/8, apt. 249.
Has a car Toyota RAV4, state number: P778CB750, driver’s license: 9902 449278.
Documents for the apartment
From the letter dated 29.06.2020, it was also possible to confirm the place of residence of Morgachev and look into the documents on the purchase of an apartment by him.
- Technical passport of the apartment (PDF)
Questionnaire
According to the scan copy of the form “Form 4” found in the mail of Sergey Morgachev, which is filled out for admission to state secrets, from August 1999 to August 2022 he served in the above-mentioned military unit 26165. Prior to his transfer to another duty station, he held the position of “Deputy Head of the Department – Head of the Department of Military Unit 26165“. From August 2022 to the present, he holds the position of “Software Engineer of the 1st Category” in LLC “SPECIAL TECHNOLOGY CENTER”. The questionnaire also indicates the actual address of the place of service: St. Petersburg, Gzhatskaya Street, 21, apt. 53.
LLC “SPECIAL TECHNOLOGICAL CENTER” (STC) (archive) – this enterprise plays an important role in ensuring the armed aggression of the Russian Federation against Ukraine. According to the official website of the NAPC of Ukraine, sanctions have already been imposed on this organization by the United States, Great Britain, Canada, Switzerland, Japan, the EU countries and Ukraine.
The fact that Morgachev is serving in the STC is confirmed by his correspondence with the personnel department.
Among Morgachev’s documents is a fresh (dated December 13, 2022) medical certificate on the absence of contraindications for working with documents containing state secrets.
Also, among the questionnaire files, information was found about the position and specifics of the activity when serving in the Ministry of Defense of the Russian Federation, as well as the desired amount of salary that Morgachev would like to receive at the new place of service.
Sergey Morgachev’s resume, compiled on August 5, 2022 on the eve of the transition to a new duty station. In his resume, he noted that from 1999 to the present time he served in the military unit of the Ministry of Defense of the Russian Federation. He headed the department of special software development. His duties included the selection and control of the work of the personnel of the department, the distribution of tasks, interaction with other units. (That is, the summary indirectly confirms that Morgachev led a group of military hackers as part of the GRU). Interestingly, he indicated on his resume that he was “not ready to move,” but was ready for business trips if they were not very frequent.
According to the income statement, Morgachev’s salary at the end of 2022 was 250-300 thousand rubles per month.
Hacking a personal account on the website of the State Services of the Russian Federation
Thanks to obtaining access to the personal account of Sergey Morgachev on the website of public services of the Russian Federation, the hacktivists were also able to clarify the data previously received from scanned copies of documents, as well as confirm the current place of service and address of residence.
Marital status: married, has two minor children.
Wife: Morgacheva Ekaterina Viktorovna, 22.07.1988.
In the photo: Morgachev Ekaterina and Sergey.
In general, in the dumps of Morgachev’s correspondence there is a lot of interesting and diverse information: from photos of rest and birthdays of colleagues to technical documentation.
Cobalt Strike 4.0
Of the relatively recent technical documents found in Morgachev’s mail, there are files with records regarding patches for Cobalt Strike, a platform used, in particular, by hackers for cyber attacks:
Revenge is served cold. The Final “Act of Moral Humiliation”
Before moving on to the final part of the article, it is worth mentioning the background: the first acquaintance of InformNapalm and Fancy Bear.
In the first week after Russia’s full-scale invasion of Ukraine, on March 2, 2022, Rafael Sutter, a journalist with the international news agency Reuters who writes about cybersecurity, published on his Twitter account a whole branch of tweets with an interesting story about how a large-scale attack by Russian hackers APT 28 was exposed thanks to a message about the danger sent in April 2015 by a volunteer administrator of the InformNapalm website.
In 2015-2016, Russian hackers from APT 28 repeatedly tried to send phishing emails to volunteer administrators of the site of the international intelligence community InformNapalm. However, as evidenced by their own marks from the statistics table, not a single phishing brief link from Bitly was opened. However, these unsuccessful attempts to attack InformNapalm led to the disclosure of a large-scale network of targets and attacks on them by Russian hackers. The most high-profile of these attacks was the hacking of the mail servers of the US Democratic Party and an attempt to interfere in the 2016 US elections.
In March 2023, the organizer of this Russian hacker group, Lieutenant Colonel Sergey Morgachev, was hacked by Ukrainian hacktivists, who, after hacking his personal correspondence, implemented a symbolic act of moral humiliation.
First, hacktivists hacked into his anonymous accounts on social networks and posted scan copies of his passports there. Here, for example, is a screenshot of his Twitter account being recorded after the hack.
Having also gained access to Morgachev’s account on AlịExpress, hacktivists ordered several dozen units of various goods at his address tied to the account, including souvenirs with the logo of the FBI (which is looking for him), as well as a large batch of toys for adults, which was paid for with his card.
Given that Sergey Morgachev is wanted by the FBI, he draws up parcels from AlịExpress to his mail mor_s@mail.ru in the name of his wife.
Here is one of the latest letters from the mail indicates that one of his recent orders on AlịExpress for March is already on the way and is being sent to the postal address in the shopping center of Korolev, Stroiteley Street, 15.
This also additionally confirms that the Morgachev family lives at the address of residence in Korolev, Dekabristov Street, house specified in the documents. 6/8, apt. 249. From his house to the post office, for which he receives an order from AlịExpress, is only 140 meters.
Dump
Ukrainian hacktivists of the Cyber Resistance team handed over a complete dump of Morgachev’s correspondence and personal files for publication, so that all interested persons: from the FBI to journalists, experts and all honest citizens could independently familiarize themselves with the facts set forth in the publication, and find other information that may be useful and promising for research (a link to the email dump will be added in the near future along with translations of the article into other language versions).
P.S. The international intelligence community InformNapalm thanks the hacktivists of the “Cyber Resistance” for the exclusive opportunity to take part in this interesting story and work it out together. We invite readers to subscribe to our telegram channels, on which we publish much more information than gets to the site.
You must be logged in to post a comment.