Russia’s cyber raiders foiled in humiliation for Putin
Red handed The evidence trail that led intelligence services to cell of Russian agents
SECURITY services yesterday made a co-ordinated effort to humiliate and dismantle Vladimir Putin’s network of cyber hackers as they exposed a series of plots targeting the West.
British and Dutch intelligence agencies named four officers from Russia’s military intelligence services, the GRU, who were caught “in flagrante” as they mounted an attack on the international chemical weapons watchdog.
The four men, travelling under the names Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Aleksey Minin, flew to the Netherlands from Moscow and attempted to hack into the Wi-fi at the Organisation for the Prohibition of Chemical Weapons (OPCW) from a rental car parked outside its headquarters in The Hague. The four men were apprehended and sent back to Moscow.
The foiled attack, on April 13, came just over a month after the Salisbury spy poisoning, which was also carried out by two GRU agents. At the time, the OPCW was analysing samples of the Salisbury nerve agent to assess the UK’S claim that Novichok was used.
Security services said a laptop seized from the men showed attempts to hack investigations in Malaysia into the downing of Flight MH17 and in Switzerland, where the World Anti-doping Agency was targeting Russian athletes.
The computer also contained plans to travel to a Swiss lab which was analysing samples of Novichok.
A government source said the disclosures were about “smashing” the GRU and undermining Vladimir Putin’s credibility. “This is about setting out the facts in such a clear way that they are undeniable,” the source said.
“For GRU officers to be caught in this way would be considered a pretty bad day,” a British security official said.
Yesterday the Government released details of two other failed attacks, on the Foreign Office and the Defence, Science and Technology Laboratory in Porton Down in June.
Hours later the US Department for Justice said it had charged seven Russian military intelligence officers with hacking hundreds of people in 30 countries. They included the four officers behind the Hague attack. The Dutch authorities released a 35-page dossier detailing the Hague attack, which named the spies and carried pictures of their passports.
Security officials also revealed a series of blunders by the Hague hackers in an apparent attempt to ridicule their spycraft. One of the men had a taxi receipt for the journey from GRU headquarters to Moscow airport. A photograph of one operative with a woman at the Olympic Games in Brazil was also published.
In a joint statement with the Dutch prime minister, Theresa May said: “The GRU’S reckless operations stretch from destructive cyber activity to the use of illegal nerve agents, as we saw in Salisbury.” A UK security official added: “It’s hard to know their full intent as their operation failed but judging from their past form elsewhere it could have been to discredit the investigation.”
Jeremy Hunt, the Foreign Secretary, said the GRU was waging a campaign of “indiscriminate and reckless” cyber attacks against political institutions and added that Russia faced further sanctions. The EU is expected to introduce a new sanctions regime later this month for chemicals weapons attacks, which the UK will use to target Russians involved in the Salisbury spy poisoning.
The US indictment accuses seven hackers of “computer hacking activity” between 2014 and 2018. They used a combination of “remote” hacking attempts from Russia and “close access” attacks to compromise their targets. The attacks on the Foreign Office and Porton Down involved “spear phishing” in which spoof emails loaded with malware are sent to target organisations.
Moscow said the British allegations were a “hellish perfumed mixture”, in a reference to the perfume bottle that police say was used to transport the Novichok nerve agent used in the Salisbury attack.
THE night before four Russian spies were caught trying to hack into the world’s chemical weapons testing headquarters, they had drunk three cans of Heineken, a bottle of Lowenbrau lager, two bottles of Aldi’s orange juice and eaten a packet of cold chicken slices.
The agents had gathered up the remnants of their cheap picnic and stuffed the rubbish into a plastic bag, fearful of leaving DNA and fingerprints in their hotel room.
They needn’t have bothered with the clean-up operation. A few hours later, the four spies – two cyber hackers and two “heavies” – had been detained in a Dutch intelligence swoop.
Their arrests have proved devastating to the GRU, the Russian military intelligence unit that was behind the nerve agent attack in Salisbury. The GRU, caught “in flagrante”, as one British security official put it, stands humiliated and exposed; their operation bungled.
The four Russian spies may have taken the trouble of wanting to destroy their hotel rubbish but they had neglected to leave behind in Moscow laptops and mobile phones. The equipment contained damning proof of the cyber hacking operations of its notorious Unit 26165, also known as “GRU 85 Main Special Service Center”.
One of the men had brought with him his personal computer showing he had been at the Rio Olympics in Brazil in 2016; in Kuala Lumpur, Malaysia, in 2017 and in Lausanne in Switzerland in Sept 2016. Here was evidence that Russian agents had been criss-crossing the globe, attending events where cyber hacking had been rife. Another of the spies had brought a taxi receipt showing he had been picked up from Unit 26165 headquarters.
One senior British military officer said last night: “This is pure John-ski English” in reference to the bungling spy played by Rowan Atkinson.
The four GRU agents – named yesterday as Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Alexey Minin – had flown into Amsterdam’s Schipol Airport from Moscow on April 10, where they were met by a senior official from the Russian embassy. This was an approved Kremlin operation.
The men had travelled on official diplomatic passports with the intention of hacking into the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The OPCW was examining samples of Novichok nerve agent used in the assassination attempt on Sergei Skripal, the former GRU colonel turned traitor.
The Kremlin wanted to compromise the OPCW and maybe get dirt on it. This was a clean-up operation after Salisbury. The men were part of a cell within Unit 26165 called Sandworm, also responsible for attacks on the Foreign Office and Porton Down, the UK’S chemical weapons testing laboratory.
The men’s passports are telling. Two – those of Morenets and Serebriakov – have identical passport numbers, bar one digit, suggesting the GRU has been issuing passports in batches, making it potentially easy for foreign intelligence services to recognise other GRU spies in Unit 26165.
A taxi receipt on the day of the flight found on Morenets after the arrests showed the agent had picked up a cab to take him to Sheremetyevo Airport in Nesvizhsky Pereulok. The street is located at the rear entrance of Unit
26165’s headquarters. Morenets had not only got a taxi straight from work to the airport, he hadn’t even bothered to discard the receipt.
A day after landing, the four men hired a budget Citroën C3, barely big enough to contain the two cyber hackers Morenets and Serebriakov and the burlier support team of Sotnikov and Minin.
The men were carrying $20,000 (£15,500) and €20,000 (£17,500) in cash, but kept to budget. The small rental car cost €164 for five days’ hire. Sotnikov hired the car with the bearded Minin as the designated second driver.
The Moscow address given by Sotnikov when hiring the car is a nondescript block where nobody yesterday recognised the GRU agent. “We’re not hiding any cannons, we’re not storing any nuclear bombs here,” laughed one resident who didn’t recognise Sotnikov and had never heard the name.
Perhaps tellingly the address is close to another fake GRU address – the one given by Anatoliy Chepiga, also known as Ruslan Boshirov, on his visa entry form when flying to the UK in March this year to murder Colonel Skripal, the double agent.
The men packed the Citroen’s smallish boot with spy gadgetry, known in the trade as “spider fit”, because the kit is based around a central computer hard drive with wires resembling spider legs attached to antennas, mobile phones and other bits of hardware. There was a transformer, a bag containing a battery, a Wi-fi antenna and a 4G smartphone hooked up to the computer.
They also bought a battery unit in the Netherlands to power up the kit, before resting the first night at a hotel whose location has not yet been disclosed.
On April 11, the men checked into the Marriott Hotel in The Hague, a stone’s throw from the OPCW headquarters. On April 9, the day before they left Moscow, Serebriakov’s laptop, recovered by Dutch intelligence, showed he had put into Google Maps “The+hague+marriott+hotel” and the “Organisation+for+the+prohibition+of+ Chemical+weapons”.
The resulting search would have shown Serebriakov that the hotel car park abutted the OPCW. Once in situ, they began reconnaissance, the Dutch later seizing a camera belonging to Minin that showed the gang scouting the OPCW in the two days before they attempted to hack into the building. On the day of the attack itself, Minin took a photo of his colleague Morenets leaving the hotel.
On April 13, they duly parked the hire car with the boot facing the OPCW headquarters. While the two cyber hackers were setting up, Sotnikov took a trip to the railway station at The Hague and bought four tickets for departure from Utrecht to the Swiss capital Bern, via Basel.
They planned to leave on April 17. Near Bern is the OPCW laboratory that was processing the Novichok nerve agent samples handed to the watchdog by Britain. The scheme was clear: hack the OPCW headquarters, and once completed, move on to the lab itself.
Federal prosecutors in the US – who yesterday charged the gang in absentia – said the equipment in the rental car was capable of both “long-distance, surreptitious interception of Wi-fi signals, as well as harvesting of Wi-fi user credentials”.
Back at the hotel car park, with the equipment activated, Morenets and Serebriakov set about breaking into the OPCW computer system. But their attempts simply triggered some kind of alarm that OPCW was under cyber attack. According to the MIVD, the Dutch military intelligence and security service, agents moved fast.
“It was evident that this was a closeaccess hack operation,” said Onno Eichelsheim, the MIVD director, “The focus was the OPCW. They hired a Citroën CS with registration number PF934R.
“At 4.30pm, this apparent hack was active, and we had a direct digital threat to the operation of the OPCW. Then we decided to disrupt this operation and put these people out of the land to protect the OPCW.”
That at least is the official version. Some experts suggest the Russians had been under surveillance since entering the Netherlands. A photograph released yesterday by Dutch intelligence shows the moment the men were captured. “The conspirators,” according to US prosecutors, “abandoned their equipment” including a backpack be- longing to Serebriakov. Morenets had tried to smash his smartphone with a “size 12 boot”, according to one British official. “For the GRU to be caught in this way would be considered a pretty bad day,” he said.
What investigators found was a treasure trove. One of the phones was first activated near GRU headquarters, showing the link of the cyber gang.
The men were held and then let go, sent back to Russia. They had travelled under their own names. Serebriakov was a keen amateur footballer, who played in a side now being referred to as the “security service team”. Look at the players and it is possible that intelligence services can find other GRU agents.
Sander Kuypers, a spokesman for the Dutch ministry of defence, defended the decision to break up the operation but then deport the men. “This was a secret service operation. It’s different from the police. Deporting them was the best option,” said Mr Kuypers.
On Serebriakov’s laptop, investigators found him posing at the Rio Olympics with a younger woman, whose face has been blanked out. It also shows him logging on to Wi-fi in Malaysia in December 2017, staying at the Grand Millennium Hotel in Kuala Lumpur at the time when the country was investi-
‘It was evident that this was a close access hack operation. The focus was the OPCW’
‘For the GRU to be caught in this way would be considered a pretty bad day’
gating, along with the Dutch, the shooting down of Malaysian Airlines flight MH17 over Ukraine, for which Russia was blamed. Serebriakov was also in Lausanne in Switzerland in Sept 2016; his apparent goal to hack into the World Anti-doping Agency (Wada) and to infect its systems with GRU malware. Wada was investigating statesanctioned Russian doping.
The team sent to hack OPCW was on a “clean-up” operation to deal with the “mess” left behind after Salisbury. But in trying to clean up, they messed up.
Theresa May pledged last month to dismantle the GRU. The GRU have helped her do just that.