Unveiling the GRU’s Cyber Playbook – Mandiant

In this blog post, we delve into a comprehensive analysis of a recent article published by Mandiant, a part of Google Cloud, titled “The GRU’s Disruptive Playbook”. The article, authored by Dan Black and Gabby Roncone, provides an in-depth examination of the disruptive cyber operations conducted by the Russian military intelligence (GRU) against Ukraine. This post aims to present a detailed threat intelligence perspective on the GRU’s tactics, techniques, and procedures (TTPs), offering valuable insights for cybersecurity professionals and organisations worldwide.

Incident Details and Lessons Learned

The article outlines the GRU’s standard five-phase playbook, which has been observed since the invasion of Ukraine in February 2022. Mandiant assesses that this playbook represents a deliberate effort by the GRU to escalate the speed, scale, and intensity of its offensive cyber operations while reducing the chances of detection.

The GRU’s playbook includes the following five operational phases:

  1. Living on the Edge: The GRU leverages compromised edge infrastructure, such as routers, VPNs, firewalls, and mail servers, to gain initial access into targets.
  2. Living off the Land: The GRU uses built-in tools for reconnaissance, lateral movement, and information theft on target networks, likely aiming to limit their malware footprint and evade detection.
  3. Going for the GPO: The GRU creates persistent, privileged access from which wipers can be deployed via group policy objects (GPO) using a tried-and-true PowerShell script.
  4. Disrupt and Deny: The GRU deploys “pure” wipers and other low-equity disruptive tools such as ransomware to fit a variety of contexts and scenarios.
  5. Telegraphing “Success”: The GRU amplifies the narrative of successful disruption via a series of hacktivist personas on Telegram, regardless of the actual impact of the operation.

Threat Actor Profile: The GRU

The GRU, Russia’s military intelligence agency, has been identified as the primary threat actor behind these disruptive operations. The GRU’s playbook has been observed in use by multiple distinct Russian threat clusters throughout the war, indicating its central role in standardising operations across multiple subteams to deliver more repeatable, consistent effects.

The GRU’s disruptive playbook integrates the full spectrum of information confrontation capabilities that Russia conceptually defines as cryptographic reconnaissance of information and communication systems (KRIKS), information-technical effects (ITV), and information-influence effects (IPV).


The GRU’s disruptive playbook offers a valuable case study for understanding the evolving landscape of cyber warfare. It demonstrates the integration of cyber and information operations into a unified wartime capability, providing a blueprint for future crises and conflict scenarios.

We would like to extend our gratitude to Mandiant for their comprehensive and insightful analysis of the GRU’s disruptive playbook. Their work continues to provide invaluable insights into the evolving landscape of cyber threats.

This blog post is based on the original article by Mandiant, “The GRU’s Disruptive Playbook”. We encourage readers to view the full article for a more detailed understanding of the GRU’s tactics, techniques, and procedures.