Caught red handed
Data trail led to humiliation for Kremlin’s gang of hackers
STROLLING through an airport in Amsterdam, these four Russian agents would soon be caught red-handed carrying out a botched cyber-attack.
Yesterday they faced global humiliation as the authorities exposed their failed attempt to hack into the chemical weapons watchdog which was investigating the Salisbury poisonings.
A devastating trail of evidence shows how Moscow’s team of spies from the GRU military intelligence service – operating under the name Sandworm – attempted to use a rig of computers, antennae and phones hidden in the boot of a rented car to gain access to the organisation’s IT systems.
Yesterday, in an unprecedented step, Dutch authorities produced a dossier of evidence showing how the spies tried to launch a ‘closeaccess’ cyber-attack from a street in The Hague.
It was in April this year – little more than a month after the Salisbury attacks – that the bungling GRU squad attempted to infiltrate the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Dutch city.
Here, we detail how the unit was caught-red handed attempting to carry out the brazen cyber-attack.
1. PLANNING IN MOSCOW
At 7.09am on the morning of April 9, Russian GRU agent Yevgeny Serebriakov, 37, opened up his laptop and began to Google the acronym ‘OPCW’.
At that time, the OPCW was conducting an investigation into the use of novichok, a military-grade nerve agent, in the poisoning of Sergei Skripal and his daughter Yulia in Salisbury on March 4.
It was also examining an alleged chemical attack by Syria’s Russian-backed military in Douma.
Serebriakov’s searches took him to Google Maps and to the headquarters of the OPCW in The Hague.
The following day, one of his GRU colleagues jumped in a taxi outside a GRU barracks in Moscow and headed towards the airport.
A scrap of paper found by Dutch investigators shows that Russian spy Alexei Morenetz, 41, paid 842 roubles, or £9.60, to travel the 20 miles from the city’s Nesvizhskiy Pereulok street to Sheremetyevo Airport, just north of the capital.
The receipt carries Morenetz’s name and signature and is dated April 10, the same day the unit arrived in Amsterdam.
The day before, one of the four hackers had activated a brand new Sony Xperia mobile phone. Data shows that when it was switched on, it connected to the nearest mobile mast, located just a few streets away from the same GRU barracks.
Last night it emerged that Morenetz is registered at an address in Moscow known to be a Russian military intelligence base. The specific address is believed to be home to Military Unit 26165, a unit of the GRU military intelligence service. Another of the Russians, Alexei Minin, also has an address related to the Russian military. He is registered as living at a building on Narodnogo Opolcheniya street in Moscow. This is the legal address of the military academy run by the Russian defence ministry.
2.FLYING TO AMSTERDAM
The four-strong GRU unit flew into Amsterdam’s Schiphol Airport on April 10 using diplomatic passports.
They were met by an official from the Russian Embassy, who was captured on CCTV escorting the group through the arrivals hall.
Passport details show the hackers travelled under the names of Morenetz, 41, and Serebriakov, 37, who were described by Dutch officials as ‘cyber operators’.
The other two men, thought to be ‘ supporting agents’, were named as Oleg Sotnikov, 46, and Alexei Minin, 46.
Investigators found the issue numbers on the passports belonging to Morenetz and Serebriakov were sequential – suggesting they were printed at exactly the same time.
After landing in Amsterdam, the group bought equipment that would later be used in their hacking attempts.
Receipts show that at 4.14pm they spent almost £200 on batteries and power supplies that would later be used to run laptops and mobiles used in the hack attempt.
The following day, on April 11, Sotnikov and Minin hired a nondescript dark grey Citroen C3 from a local car rental company. They then began a reconnaissance mission around the OPCW.
Pictures found on Minin’s camera phone show how they checked out the location, with pictures also showing various views of the Marriott Hotel, where they stayed, which is conveniently located next door to the OPCW building.
3. THE BRAZEN HACK
On Friday, April 13, the unit carefully parked their Citroen C3 hire car on the road closest to the OPCW headquarters.
They carried out what is known as a ‘close-access’ cyber-hack. This type of infiltration must be done in close physical proximity to the target network.
It can involve tricking legitimate users of the network to log in to a fake system, or it can involve looking for unsecured laptops using the network that they can compromise and gain access to. The hackers had already failed to infiltrate the OPCW using so-called ‘remote spear phishing’ techniques from Russia. This involves sending targeted individuals emails which attempt to trick them into giving away sensitive information, or which download malware to their computer.
4. A DRAMATIC ARREST
As the four spies stood next to their car parked up near the OPCW, Dutch counter-intelligence services, who had been monitoring their activities, swooped.
In a panic, one of the GRU agents threw his phone to the ground to smash it and destroy any evidence it contained.
But the Dutch investigators opened the boot of the car to dis-
cover the unit’s mobile hacking kit. This contained a battery, transformer and a laptop connected to a smartphone and an antenna pointed towards the OPCW building. Another antenna, on the car’s parcel shelf, had been hastily coved by a black overcoat.
The Dutch officers began to uncover a host of other evidence which would tie them not only to this hacking plot but to others around the world.
The four were carrying at least ten other mobile phones and more than £33,000 in cash – 20,000 in euros and 20,000 in US dollars.
They also had with them a plastic bag filled with empty Heineken beer cans and soft drink bottles, which they appeared to have taken from their hotel room. ‘They were clearly not here on holiday,’ the head of the Dutch intelligence service joked yesterday. The hackers were escorted back to the airport and expelled from The Netherlands. They returned to Moscow. British Government officials yesterday said it was for the Dutch to explain why the suspects had not been arrested.
Investigators later discovered the four had been planning to travel by train to the OPCW laboratory in Spiez in Switzerland. Tickets carrying the names of all four agents show they had planned to depart on April 17 and head to the Swiss capital Bern via Basel.
5. THEY’D DONE IT BEFORE
This was not the first time the agents had travelled to Switzer- land. Intelligence collected from a laptop belonging to one of the GRU officers held in The Hague shows it had connected to wi-fi at the Alpha Palmiers Hotel in Lausanne in September 2016.
At that time, a conference of the World Anti-Doping Agency was taking place.
It had banned Russian athletes from competing amid a statesponsored doping scandal.
The conference was also attended by officials from the International Olympic Committee and the Canadian Centre for Ethics in Sport, who found themselves victim of a cyber-attack.
One official had their laptop compromised by ‘APT28’ malware, which then spread to the Canadian Centre’s systems. Hackers also compromised the IP addresses of the International Olympic Committee.
The laptop belonging to Serebriakov, which was seized during the Dutch operation, revealed he had carried out ‘malign activity’ in Malaysia.
During that operation, the GRU attempted to collect information about the fate of Malaysian airlines flight MH17, which was shot down over Ukraine in July 2014 by a missile that belonged to a Russian military unit.
Hacking attempts targeted the Malaysian government and institutions including the Attorney General’s office and the Royal Malaysian Police.
The findings of the Dutch intelligence agencies were swiftly shared with British allies.
The GRU spies were found to be being part of what the Russian military refer to as Unit 26165, or GRU 85 Main Special Service Centre.
The unit is home to the Russian military’s best mathematical minds and is believed to have run the hacking campaign that sought to influence the 2016 US presidential election.