Badin steganography cover

Cyber and secrets: a picture is worth a thousand words

One of the most famous cyber-agent groups is the unit 26165 of the Gru (Glavnoe razvedyvatel’noe upravlenie, i.e. the Main directorate for information).

The Gru is the Russian military secret service and unlike other agencies like Svr, Fsb, and Fso, all “descent” of the Kgb, the former Soviet secret service, it does not report directly to Vladimir Putin but to the Ministry of Defense and the Russian General Staff.

The Strontium goes into action

Among the many actions carried out by unit 26165, through a group of agents called Strontium (or even Atp28, Sofacy, Pawn Storm, and Fancy Bear), in 2016 there was disinformation and violation of e-mail accounts of John Podesta, Hillary Clinton and other staff from the Democratic electoral staff during the presidential election that brought Donald Trump to the White House.

An agent of this unit, in particular, had already hit the German parliament the year before, with a cyberattack using the phishing technique and being able to deceive several MPs and members of the Chancellor's Angela Merkel office at the Bundestag subtracting passwords and other sensitive information for a total of 16 gigabytes.

Badin unità 26165

Fbi on the trail of Dmitry Badin

This agent was Dmitry Sergeyevich Badin, born on November 15, 1990, but already famous all over the world in the cyber-espionage sector still sought after by the Fbi together with 10 other agents (here his information sheet, where the FBI warns that it is to be considered potentially armed and dangerous) for a series of crimes including identity theft and money laundering as well as computer fraud.

According to the FBI, Badin should be in Moscow: he is certainly, or at least he was, on the Russian social network V-Kontakte (, obviously via aliases. One (id 4503478), discovered by the team of investigative journalists Bellingcat, was deleted.

Others may still be active under pseudonyms such as Scaramouche or Nicola Tesla, identified thanks to two mobile numbers found and used by Badin.

Curious as it may sound, the cell phones of other agents of the 26165 unit had been found online by Sobesednik journalists already in 2018 on the sites, and yougorod.comknown to publish fake sale and purchase ads and then put "offline".

Steganography: inserting texts into images

Unit 26165 obviously does not only deal with data theft but also with encryption. For this activity, Badin and colleagues use software that is now able to insert encrypted texts into image, video, or audio files. For example in the photos of kittens that are popular on social media.

Some of this software is even available on the net, like OpenPuff. OpenPuff use steganography (literally: covered writing, a technique already used in the time of Herodotus) to insert a text, which will be obfuscated and encrypted as well as being protected by a password, within a container file.

To prevent the text from altering the image that contains it in an eye-catching way, you can also use different files to hide parts of a single document, making it necessary to read the hidden message also to know the original order of the container files.

steganografia OpenPuff

OpenPuff and other software for your secret messages

With OpenPuff you can obviously also extract a hidden text, insert a digital signature ("watermark") or delete the hidden text and/or the watermark.

Other software that allows anyone to hide messages in image and video files are Mozaiq, MobileFish, Secretbook (for Chrome), S-Tool (for Windows), and iSteg (for Mac). All available (far too easily) on the web.

In short, maybe agent 007 will no longer be there, but cyber-spies are very active and present among us. Maybe even among those who read Perhaps, who can say it?