ctipilot.chSwitzerland · Europe · Public sector

Bauman University 'Department No. 4' — leaked GRU cyber-operator training pipeline (joint The Insider / Guardian / Le Monde / Spiegel investigation)

campaign · research:bauman-gru-pipeline-investigation-2026

Coverage timeline
1
first 2026-05-10 → last 2026-05-10
Briefs
1
1 distinct
Sources cited
5
5 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-10CTI Daily Brief — 2026-05-10
    researchFirst coverage. 2,000+ leaked Bauman docs; structured GRU training pipeline placing 10–15 graduates/yr into military intelligence units. 144-hour 'Countering Technical Intelligence' curriculum trained against US-DoD topologies. Records link graduates to GRU Unit 74455 (Sandworm/VoodooBear) and APT28 (Fancy Bear). Confirms structured technical-intelligence training stream behind GRU cyber operations targeting EU government, election, energy, telecom infrastructure.

Where this entity is cited

  • research1

Source distribution

  • heise.de1 (20%)
  • lemonde.fr1 (20%)
  • meduza.io1 (20%)
  • spiegel.de1 (20%)
  • theguardian.com1 (20%)

All cited sources (5)

Items in briefs about Bauman University 'Department No. 4' — leaked GRU cyber-operator training pipeline (joint The Insider / Guardian / Le Monde / Spiegel investigation) (1)

Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets

From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.