Ukrainian hacktivist group Kiber Sprotyv (Cyber Resistance) and the volunteer intelligence community InformNapalm released a data dump containing personal information and correspondence of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU) and suspected leader of the Russian state-sponsored cyber-espionage group APT28 (the GRU Unit 26165).

APT28 aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM, has been operating since at least the mid-2000’s.The group’s targets include government, military, and organizations in NATO-aligned states. Fancy Bear is suspected of carrying out attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, US government organizations, NATO, the US Democratic National Committee (DCCC), and the campaign of French presidential candidate Emmanuel Macron.

Sergey Morgachev was among 12 GRU employees mentioned in 2018 US Department of Justice’s indictment charging the Russian nationals for hacking the DCCC to interfere with the 2016 presidential election.

The Kiber Sprotyv team was able to hack into an email account belonging to Morgachev and obtain sensitive data, including scans of personal documents shedding light on his personal life and his current place of residence and service, as well as people associated with APT28’s suspected leader.

In addition, among technical documents found in Morgachev’s email, were files with notes regarding patches for Cobalt Strike, a legitimate post-exploitation tool used for adversary simulation abused by cybercriminals to distribute malware, including ransomware. Earlier this month, Microsoft, Health ISAC, and cybersecurity firm Fortra took legal action to prevent the abuse of the Cobalt Strike exploitation tool.

Furthermore, the hacktivists also gained access to Morgachev’s AliExpress account and ordered several dozen different items to the address linked to his account, including souvenirs with the FBI logo (by which he is wanted) as well as a large shipment of adult toys, which they paid for with his card.

Recently, the Ukrainian hacktivists have pulled a similar prank on pro-Russian “war blogger” Mikhail Luchin, who has been collecting money to buy drones for the Russian military. The hackers breached Luchin’s account with Chinese-run AliExpress and exchanged his order of $25,000 worth of unmanned aerial vehicles for adult toys.

In another instance, the team tricked military wives into revealing sensitive information about Col. Sergey Atroshchenko, who is thought to have ordered a bombing of the theater in Mariupol and his regiment, including their home addresses, passports, and salaries.

Last week, InformNapalm leaked dumps of e-mails and other private correspondence of Semyon Bagdasarov, ex-member of the State Duma, the parliament of the Russian Federation, director of the Russian Center for the Study of the Countries of the Middle East and Central Asia, the host of the SMERSH talk show on the TV channel of the Russian propagandist Vladimir Solovyov.