
Current security events have once again shed light on hybrid Russian activities in Montenegro, this time through a well-organized intelligence network, with the aim of collecting confidential data of a NATO member. The epilogue of the action carried out on September 29 by partner services and Montenegrin authorities, primarily the Ministry of Internal Affairs of Montenegro and the National Security Agency, was the denial of residence for 6 Russian diplomats and the ban on entry to Montenegro for 28 foreign citizens who, as stated, worked for the interests of foreign services. Among those suspected of working for the Russian intelligence service is the former spokesman of the Ministry of Foreign Affairs, Radomir Sekulovic.
According to publicly available sources, the National Security Agency is in possession of information that Sekulovic was part of a spy network formed by an intelligence officer of the Russian Military Intelligence Service GRU, Igor Zaitsev.
ANB recorded the arrival of Zaitsev in Montenegro on several occasions, ending with 2018, when he had contacts with Sekulovic. It was then established that the Russian intelligence officer had brought new equipment for encrypted communication which he handed over to Sekulovic, which is precisely the modus operandi of the intelligence network that Zaitsev formed and led across Europe.
Sekulovic held that position in the Ministry of Foreign Affairs during the time of the state union of Serbia and Montenegro, was employed in consular affairs for over 30 years, and held a high position even in the former Yugoslavia. It is indicative that Sekulovic worked for a long time in consular affairs in African countries, at a time when Igor Zaitsev, as a member of the Fourth Department of the GRU, was in charge of Africa.
Who is Igor Zaitsev?
Igor Zaitsev, born on April 6, 1954, led the GRU intelligence network that operated in several European countries and included members of the administrations of those countries since 1990.
After informing the Austrian authorities, in 2018, one of the most successful operations led by Zaitsev was discovered, i.e. his connections with the colonel of the Austrian army, Martin Muller, who was found guilty by the court and sentenced to three years in prison in 2020 for giving confidential military information data to Russia. Meanwhile, an Austrian court issued an arrest warrant for Zaitsev, after uncovered evidence suggested he was the main point of contact for the Austrian colonel.
According to available data and evidence, Zaitsev trained Colonel Mueller in the use of sophisticated communication equipment, which he used to transmit classified information to Moscow. Mueller was thoroughly trained to connect with Russia’s Strela-3 military satellites as they flew over Central Europe.
The retired Austrian colonel cooperated with the Russian military intelligence service since 1987, receiving a total of at least 280,000 euros in return. He spent the last five years before his retirement working in the Structural Planning Department of the Austrian Ministry of Defense in Vienna. Martin Mueller leaked classified information about the air force, artillery and the migrant crisis to Russia.
As a colonel of the partner army, he participated in several NATO events, so he managed to get detailed information about what methods the Alliance uses to protect against attacks with improvised explosive devices – which are one of the most frequently used weapons of the Taliban against allied troops in Afghanistan.
He was an important asset of the GRU due to frequent meetings with Russian spies not only in Austria, but also in Slovakia, the Czech Republic, Croatia, Hungary and Slovenia. He was specially trained and had at his disposal the technique for successfully carrying out espionage activities for the needs of Russia. During his espionage career, Mueller personally met with Russian agents, some of whom are also known for their activities in Montenegro. One of them is Eduard Shishmakov, who was sentenced by the High Court in Podgorica to 15 years in prison for participating in a terrorist attack on the day of the parliamentary elections in Montenegro in 2016.
In addition to Shishmakov, Muller also met with the commander of his unit 29155, Andrei Averyanov. This unit specializes in assassinations or sabotage with the aim of destabilizing European countries, among other things, it was behind the poisoning of Sergei Skripal and his daughter in Salisbury, England, the setting of an explosion in an ammunition warehouse in the south of the Czech Republic in 2014, when two Czech soldiers were killed, as well as the attempted coup in Montenegro in 2016.
Igor Zaitsev not only supervised Mueller, but also the entire intelligence network of Russian agents – that is, GRU agents operating under diplomatic protection in the Central European region – who communicated with him or who were sent to gather information.
These were the same agents that Slovakia expelled in 2020 after the misuse of Slovak visas in the assassination of a Chechen activist in Berlin.
GRU activities in cyberspace
In the period of the finalization of Montenegro’s accession to NATO, which coincided with the parliamentary elections in October 2016, Russia significantly activated and intensified its presence not only through disinformation campaigns by the Russian media, coup attempts, but also cyber attacks by the GRU, i.e. their ATP28 group Advanced Persistent Threat 28, known as Fancy Bear).
According to our data, the most severe hacking attacks by the GRU (not taking into account the cyber attacks on the Government infrastructure from August 2022, where the epilogue of the investigation is still awaited) in Montenegro took place in 2017 at the time of Montenegro’s accession to the NATO alliance and on the day of the parliamentary elections in 2016.
During three months of 2017, the services of the Government and state institutions, as well as some pro-government media, were threatened. The Montenegrin Ministry of Defense then reported that it was the target of a ‘phishing attack’, via emails that appeared to come from the EU and NATO with attachments, and which allowed hackers to install the Gamefish malware on the Ministry of Defense’s computers, which are bookish methods used by the APT28 group.
A gamefish is a Trojan (virus) that offers a hacker broad access to a target computer, including data exfiltration, log access, and other surveillance capabilities. US intelligence has further indicated that the APT28 group is linked to the Russian military intelligence service GRU and funded by the Kremlin. APT28 was also found to be responsible for attacks on the German Bundestag in 2015, French television station TV5 Monde, an attempted attack on the Organization for the Prohibition of Chemical Weapons (OPCW), and the 2018 Pyongyang Winter Olympics.
On the day of the parliamentary elections on October 16, 2016, Montenegro faced frequent DDoS attacks (distributed denial of service attack), which targeted websites of state institutions, pro-NATO and pro-EU political party websites, civil society websites and election observers. As a result of these activities, information and websites of some political parties were hacked.
After a series of attacks, at the beginning of 2017, Montenegro requested the help of NATO and Great Britain, which helped to successfully repel two attacks at the end of the same year.
Due to these events, at the beginning of October 2019, members of the US Cyber Command arrived in Podgorica, with the aim of investigating signs of Russian penetration into the networks of the Montenegrin government, but also to create an insight into the adversary’s cyber threats in anticipation of the upcoming US and Montenegrin elections in 2020.
Based on information in the Montenegrin media, as well as publicly available data on previously identified cases of Russian agents operating in certain European countries, including Montenegro, it is evident that the Russian military intelligence agency (GRU) has developed its agency network in Europe, which primarily aimed at collecting data on the activities and structure of NATO and the destabilization of individual member states of the Alliance, which DFC has written about before. In this regard, the case of the Austrian Colonel Muller is indicative, on the basis of which it is possible to establish an analogy with the methodology of the Russian agency network in the region as well, bearing in mind the current security events and opportunities. It is evident that certain Russian agents, who also carried out their activities in Montenegro, are members of the same network that has been coordinated from the same center of activity for years. /DFCME