Western intelligence yesterday revealed the trail of clues that bungling Russian spies known as Unit 26165 left in their wake as they waged a war of disinformation across the globe.
Kremlin agents working for the GRU targeted FIFA, the World Anti-Doping Agency and the Organisation for the Prevention of the use of Chemical Weapons as it investigated both the Salisbury novichok attack in the UK as well as the Douma chemical weapons attack in Syria, the international investigation of the downing of MH17 and a US company providing nuclear power to Ukraine.
President Vladimir Putin’s elite squad even created the fake ‘hacktivist’ group Fancy Bears to disseminate misleading statements designed to exonerate Russia of doping allegations and instead level them at the US.
But it was yesterday revealed that the spies left a trail of clues including blunder after blunder during their international campaign.
These extraordinary errors included:
- The cyber unit’s ‘burner’ mobile phones had their sim cards activated outside the headquarters of the GRU in Moscow;
- Taxi receipts found in their Dutch hire car show that the men travelled from their spy centre to Moscow airport ahead of their hacking mission;
- The four GRU agents being identified the moment by secret services as they arrived at Amsterdam’s Schiphol Airport – and in an extra giveaway they were even met by a Russian handler;
- They were followed and a MI6/Dutch spy team caught them red handed trying to hack into the OPCW’s wifi network using a boot full of kit;
- When confronted they tried to smash and stamp on their phones and equipment;
- The hackers had tickets, Google Maps routes, train tickets and Google searches setting out their mission;
- They stayed in the Marriott Hotel next door to the OPCW and took out their bag of rubbish including cans of Heineken and packets of ham to avoid leaving evidence;
- They targeted the OPCW just two days before they released their interim report into the Salisbury poisoning – the timing gave them a motive;
- Two of the four men had the passport numbers 0135555 and 0135556 – showing that they were issued at the same time – a clear sign they are state-sponsored spies;
- A laptop seized linked the men to cyber attacks across the globe including a selfie of a spy posing at an Olympic event in Rio in 2016 – where he also apparently hacked into athletes’ medical records;
Putin hugs Indian Prime Minister Narendra Modi in New Delhi today as the GRU scandal rocked the Kremlin and embarrassed their security services
The bungling started when four Unit 26165 spies – two cyber specialists and two field agents – were caught in the Hague trying to use a fake wireless router to acquire logins to the wireless network of the Organisation for the prohibition of Chemical Weapons in April.
At the time the OPCW was investigating the GRU’s Novichock attack on Sergei Skripal in Salisbury.
One spy was caught with a mobile phone that had been activated on the GRU’s doorstep in Moscow. Then a taxi receipt revealed a journey from GRU headquarters to Moscow’s Sheremetyevo airport the very day that four agents arrived in Amsterdam, when two of the spies were seen using consecutive passport numbers.
Operatives who would later be found to have cleared out an Aldi bag of empty lager cans from their hotel room to try and hide DNA evidence.
And when the men were arrested, they were caught with €20,000 (£17,000 or $23,025) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops.
One laptop even contained selfies from the 2016 Olympics in Brazil where Russian athletes’ doping samples were tampered with and US athletes’ medical records leaked.
And late last night it was revealed that a laptop had the Spiez laboratory in its search history. Train tickets revealed that the spies planned to visit the centre in Bern on April 17. It houses the Swiss body that protects the population against nuclear, biological and chemical attacks or other dangers.
The revelation came as the website Bellingcat circulated a dating profile thought to belong to agent Alexei Morenets – whose geolocation was listed as within 650 metres of the intelligence service’s headquarters. The site also found the spy’s car registered to the GRU’s department for cyber warfare using a 2011 database of ownership.
Another agent, Evgenii Serebriakov, used an email with the name Casey Ryback, a character played by Steven Seagal in the film Under Siege, which tells the story of terrorists attacking an American ship, today’s The Times reports.
Operatives used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in a botched cyber attack on the global chemical weapons watchdog.
Using a technique from the early days of Wi-Fi, they attempted to break into the Organisation for the Prohibition of Chemical Weapons’s network in The Hague by tricking staff into logging into their fake router.
They parked the car at a local hotel and disguised the Wi-Fi antenna hidden inside the router, so staff would login. The laptop then stole their username and password, allowing the agents to get into the OPCW’s network.
Through the network they could spy on operations within the building, including investigations into the Salisbury Novichok attack.
It also emerged today that Russia’s bungling GRU agents left a trail of clues that helped authorities link them to the string of cyber attacks.
Among the items revealed at an extraordinary briefing in The Hague was a mobile phone one of the men was caught with having been activated near the Russian military intelligence’s headquarters in Moscow.
The GRU used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in its botched cyber attack on the global chemical weapons watchdog, it was revealed today
When leaving The Hague, the men took all the rubbish from their room – including empty cans of Heineken beer and what appeared to be an empty cold meat packet in an Aldi bag – in a further bid to cover their tracks
Evgenii Serebriakov was among four Russians trying to hack chemical weapons inspectors and his laptop contained this selfie at the 2016 Olympics in Brazil – revealing one of more than a dozen GRU missions across the globe
The boot of a car filled with hacking equipment in the Citroen rental car which was being used by the four Russian officers
One of the many phones belonging to four Russian GRU officers is seen after they tried to destroy it when they were arrested
When the men were arrested, they were caught with €20,000 (£17,000) and $20,000 (£15,000) in cash
Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport on April 10, the day that the four agents later arrived at Amsterdam Schiphol Airport.
The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers.
On April 11, they hired a Citroen C3 and scouted the area around the OPCW – all the time being watched by Dutch intelligence. To hire the car they were required to give their addresses – and the operatives opted for Moscow locations, according to The Times.
Russian president Vladimir Putin waves to spectators prior to boarding a car after his arrival in New Delhi as the GRU’s campaign of cyber warfare against the west was today exposed
The agents, who stayed at a Marriott Hotel next to the Organisation for the Prohibition of Chemical Weapons in The Hague, were also found to have used public WiFi hotspots to conduct their operations in the Netherlands.
And they were photographed performed reconnaissance of the OPCW headquarters, where the nerve agent sample was being independently verified.
When leaving The Hague, the men took all the rubbish from their room – including empty cans of Heineken beer and what appeared to be an empty cold meat packet in an Aldi bag – in a further bid to cover their tracks.
On April 13, the GRU officers were said to have parked a rental car with specialist hacking equipment outside the OPCW’s headquarters to breach its systems – but British and Dutch intelligence thwarted the operation.
The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers
Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport
And when the men were arrested, they were caught with €20,000 (£17,000) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops.
A researcher has revealed that the rudimentary technique they used to hack into the OPCW is common – though it has never been used in such a high-profile case.
Professor Alan Woodward, a computer scientist at the University of Surrey, said the Russians likely used an ordinary laptop attached to a directional antenna, which was pointed at the OPCW building.
He said unlike more common remote hacking techniques, the GRU agents needed to park close to the site in order for the WiFi signal to be strong enough.
However, before they could initiate the attack, Dutch counter-intelligence officers descended on the vehicle and seized the men, who were kicked out of the country.
The Dutch Defence Ministry took the extraordinary step this morning of naming and picturing four Russian agents caught as they tried to carry out the cyber attack.
Looking at the equipment in the boot of the car it appears they were attempting to intercept login credentials as people tried to connect to the WiFi network at OPCW, Professor Woodward said.
‘A classic way of doing this is to set yourself up as what is known as an ‘evil access point’, he told MailOnline. ‘You pretend to be the network they are attempting to connect to and steal their login details as their computer or phone tries to connect.’
The cyber security expert said it was unusual for high level intelligence officials to use such a rudimentary form of attack. ‘[The technique] has been around as long as WiFi has,’ he told MailOnline.
‘Attacks have evolved as security in WiFi has evolved. But it’s so basic that most enterprise style organisations are well protected. Hence the high profile cases tend to be from some more remote source.’
Even if the security analysts were already attached to a WiFi, the attackers would have been able to launch a ‘deauthentication attack’.
This automatically disconnects them so their device tries to reconnect. The directional antenna were pointing specifically at the OPCW offices which means the fake network – the ‘evil access point’ – would have had a stronger signal than the real signal.
This would have lured the devices away from the real network. ‘Once you have someone’s login credentials you can obviously access the WiFi as an attacker if you are in range, which this vehicle apparently was’, Professor Woodward said.
The battery would have been for powering the computer because when these attacks are mounted the device is left running for a long time so needs a big battery.
The Moscow headquarters of the GRU, from which the men took a taxi to Moscow Airport for a flight to Amsterdam
Most of those need to have their voltage converted in order to run, which explains the transformer.
Security expert Hamish de Bretton-Gordon said the cyber attacks in The Hague and at Porton Down showed Putin was bent on disrupting the investigation into the novichok attack in Salisbury.
Four Russian agents were caught with a car full of kit trying to hack into the OPCW’s IT systems just two days before their experts confirmed that novichok from Russia was used in Salisbury on Sergei Skripal.
Mr de Bretton-Gordon told MailOnline: ‘The items in the boot may not look sophisticated but there will be some high-tech equipment too and it has obviously worked for them elsewhere around the world’
‘It shows how the Russians did everything they could to undermine and disrupt the novichok investigation and try to make it fall apart. It is completely cynical and they didn’t care at all’.
He added: ‘Britain asked the OPCW to help and then soon afterwards Russian agents target them in The Hague and in Switzerland. It is no coincidence’.
‘It was evident that this was a close axis hack operation,’ said Onno Eichelsheim, director of the MIVD Dutch military intelligence and security service.
Mr Eichelsheim said that the hack was spotted at 4.30pm on April 13, at which point experts inside the OPCW noted the ‘direct digital threat’.
It was revealed that the attempt on the OPCW headquarters followed unsuccessful attacks on the British Foreign Office and UK defence laboratories at Porton Down, which were also investigating the Salisbury attack.
The team of GRU officers – travelling on official Russian passports – entered the Netherlands on April 10, just a month after the Salisbury nerve agent attack.
Three days later, they parked a car carrying specialist hacking equipment outside the headquarters of the OPCW in the The Hague, where the novichok attack was being investigated.
Dutch authorities released images of four Russian agents who tried to hack into the global chemical weapons watchdog at the time of the investigation into the Salisbury novichok attack. CCTV shows them when they were kicked out of the Netherlands
The Russian GRU hackers created an ‘evil access point’ using ‘high-grade’ WiFi equipment to hack the global chemical weapons watchdog, a security expert has suggested
The ‘close access’ hacking attempt, just a month after the Salisbury nerve agent attack, followed an earlier failed ‘spearphishing attack’ on the OPCW headquarters.
A laptop belonging to one of the four was linked to Brazil, Switzerland and Malaysia, with the activities in Malaysia related to the investigation into the 2014 shooting down of flight MH17 over Ukraine, Mr Bijleveld told a news conference.
The men were named as Alexey Minin, Evgeny Serebriakov, Oleg Sotnikov and Aleksei Morenets. At a press conference in The Hague, British ambassador to the Netherlands Peter Wilson said: ‘This disruption happened in April.
‘Around that time the OPCW was working to independently verify the United Kingdom’s analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury.’
Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the new hacking accusations from the UK as ‘big fantasies’.
But security experts say there could be as many as 80,000 GRU operatives working for the Russian state.
Professor Anthony Glees, director at the University of Buckingham’s Centre for Security and Intelligence Studies, told the Daily Express: ‘We believe this top secret force may have as many as 80,000 personnel. It is far larger than it was in the days of the USSR.’
In a joint statement Theresa May and Dutch prime minister Mark Rutte said: ‘We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU.
‘This attempt to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates the GRU’s disregard for the global values and rules that keep us safe.
it was revealed that a laptop had the Spiez laboratory in its search history. Train tickets revealed that the spies planned to visit the centre in Bern on April 17
Grainy surveillance footage shows the moment Dutch intelligence officers descended on the scene and caught the four men outside the chemical weapons agency
Pictures released at the briefing show the cache of equipment seized from the men
‘Our action today reinforces the clear message from the international community: we will uphold the rules-based international system and defend international institutions from those that seek to do them harm.’
Details were revealed today after the UK Government accused the GRU of a wave of other cyber attacks across the globe.
Foreign Secretary Jeremy Hunt said the GRU was waging a campaign of ‘indiscriminate and reckless’ cyber strikes targeting political institutions, businesses, media and sport.
The National Cyber Security Centre (NCSC) said that a number of hackers known to have launched attacks have now been linked to the GRU.
The revelations will further strain relations with Russia after Britain blamed Moscow for the nerve agent attack in Salisbury last March which left one person dead.
Russian president Vladimir Putin (centre) waves to spectators upon his arrival today in New Delhi, India
Dutch Minister of Defence Ank Bijleveld, director of Netherlands Defence Intelligence Onno Eichelsheim and British Ambassador to the Netherlands Peter Wilson revealed details of the thwarted hacking attempt at a briefing in The Hague today
Russia’s GRU intelligence agency targeted the global chemical weapons watchdog, the OPCW (pictured), whose headquarters are in The Hague, Dutch authorities revealed today
The NCSC associated four new attacks with the GRU, on top of previous strikes believed to have been conducted by Russian intelligence.
Among targets of the GRU attacks were the World Anti-Doping Agency (Wada), transport systems in Ukraine and democratic elections, such as the 2016 US presidential race, according to the NCSC.
Mr Hunt said: ‘These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.
‘The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.
‘This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
‘Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.’
Britain, Holland and US spearhead fightback against Putin’s cyber war as they reveal how Moscow’s web of hackers hit high-profile targets across 30 countries – including chemical weapons watchdog probing Salisbury attack
Britain, America and the Netherlands today launched a carefully coordinated fightback against Putin’s army of hackers as the scale of Russia’s global cyber warfare was laid bare.
First, the UK accused Russia’s GRU intelligence agency of being behind hacks on the World Anti-Doping Agency (Wada), transport systems in Ukraine and democratic elections, such as the 2016 US presidential race.
Then, Dutch authorities revealed they had caught a team of Kremlin agents rigging up computers, phones and an antenna in the boot of a car to try and hack into the global chemical weapons watchdog in The Hague.
Then, this afternoon, the US Justice Department announced it has charged seven Russian military intelligence officers with hacking anti-doping agencies and other organizations.
The suspects, including the four members of The Hague cyber squad, are accused of hacking hundreds of people in 30 countries, including people working in anti-doping organisation, for FIFA and staff at a US nuclear facility supplying power to Ukraine.
Five are also charged with aggravated identity theft, money laundering and using crypto-currencies illegally in transactions that occurred in part in US. Prosecutors said: ‘We want them to face trial and be put in jail’.
The Kremlin was left trying to bat away a growing flood of evidence of its hacking activities around the world, with some allegations dating back years.
The US today charged seven Russian military intelligence officers over hacking attacks around the world. The group are accused of a range of attacks on institutions and individuals around the world. The attacks are linked to Russia attempts to spy on investigations into doping in sport, politics in the Ukraine, and the poisoning of Sergei Skripal in the UK
Dutch authorities have released images of four Russian agents who tried to hack into the global chemical weapons watchdog a month after the Salisbury novichok attack. CCTV shows them when they were kicked out of the Netherlands
CCTV images show Alexey Minin (left) while Oleg Sotnikov (right) is pictured on a photo recovered from a phone. They are both alleged to be members of the GRU’s hacking squad, who were unmasked today
Authorities released a picture of the car which was rigged up with hacking equipment
The US indictment lists the seven hackers offences as ‘computer hacking activity spanning from 2014 through May of 2018’, including targets including the World Anti-Doping Agency (WADA).
The defendants listed in the US are all Russian nationals and residents: Aleksei Morenets, 41, Evgenii Serebriakov, 37, Ivan Yermakov, 32, Artem Malyshev, 30, and Dmitriy Badin, 27, from the GRU’s Unit 26165, and Oleg Sotnikov, 46, and Alexey Minin, 46, who were also GRU officers.
The FBI indictment lists a series of allegations against the seven wanted men. It says:
- As early as November 2014, Yermakov performed reconnaissance of Westinghouse Electric Company’s (WEC) in Pennsylvania, which supplied power to the Ukraine.
- In July 2016, Yermakov and Malyshev used ‘spoofed domains’ to unleash ‘spearphishing’ attacks on WADA and United States Anti-Doping Agency (USADA) employees.
- Also in 2016, Morenets and Serebriakov, with the support of Yermakov, went to Rio to target Wi-Fi networks used by anti-doping officials.
- In mid-September 2016, Morenets and Serebriakov compromised the wifi network of a hotel hosting a WADA anti-doping conference in Lausanne, Switzerland.
- In December 2016 and January 2017, the group successfully compromised the networks of International Association of Athletics Federations IAAF and football governing body, and targeted computers and accounts used by each organization’s top anti-doping official. Among the data stolen from officials were anti-doping policies, lab results, and medical reports.
- In April 2018, Morenets, Serebriakov, Sotnikov, and Minin travelled to The Hague to try and hack into the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) during the investigation in the Salisbury novichok attack. The case against these four was set out by the Dutch Defence ministry today.
It came after the British National Cyber Security Centre (NCSC) said the GRU were behind at least four hacking attacks around the world:
- Britain’s cyber security chiefs say they have ‘high confidence’ Russian intelligence was responsible for a strike on Wada in August 2017.
- The NCSC said it was ‘almost certainly’ the GRU behind a ‘BadRabbit’attack in October 2017 that caused disruption to the Kyiv metro and, Odessa airport in the Ukraine and Russia’s central bank.
- The NCSC also stated that the GRU was ‘almost certainly’ to blame for hacking the Democratic National Committee during the US presidential election in 2016.
- The agency pointed the finger at the GRU for accessing email accounts at a small UK-based TV station in 2015.
Surveillance footage shows the moment Dutch intelligence officers descended on the scene and caught the four men outside the chemical weapons agency
A briefing in The Hague was shown pictures of each of the men’s passports. Alexey Minin, from Perm, to the north west of Moscow, was named as one of the men
One of the men was named as Evgeny Serebriakov and his passport of photo was released
Another of the men was named as Oleg Sotnikov, said to have been born in Oeljanovsk
The passport numbers of the men were released, including Aleksei Morenets, from Murmansk
The three governments’ public expose of the operation will reignite hostilities between Putin’s regime and the West, following tit-for-tat diplomatic expulsions in the wake of the Salisbury attack.
Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the new hacking accusations from the Netherlands and UK as ‘big fantasies’.
The Dutch Defence Ministry said the team of GRU officers – travelling on official Russian passports – entered the Netherlands on April 10, just a month after the Salisbury nerve agent attack.
Three days later, they parked a car carrying specialist hacking equipment outside the headquarters of the OPCW in the The Hague, where the novichok attack was being investigated.
However, before they could initiate the hacking attack, Dutch counter-intelligence officers descended on the vehicle and seized the men, who were then kicked out of the country.
The hacking attempt – described as a ‘close access’ attack due to the attempt by the group to get close to the building – followed a longer-range earlier ‘spearphishing attack’ on the OPCW headquarters.
A laptop belonging to one of the four Hague hackers was linked to Brazil, Switzerland and Malaysia, with the activities in Malaysia related to the investigation into the 2014 shooting down of flight MH17 over Ukraine, Dutch Defence Minister Ank Bijleveld told a news conference.
At a joint press conference in The Hague, British ambassador to the Netherlands Peter Wilson said: ‘This disruption happened in April. Around that time the OPCW was working to independently verify the United Kingdom’s analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury.’
In a joint statement Theresa May and Dutch prime minister Mark Rutte said: ‘We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU.
‘This attempt to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates the GRU’s disregard for the global values and rules that keep us safe.
‘Our action today reinforces the clear message from the international community: we will uphold the rules-based international system and defend international institutions from those that seek to do them harm.’
Meanwhile NATO Secretary General Jens Stoltenberg warned Russia to halt its ‘reckless’ behavior amid a series of global cyberattacks blamed on Moscow.
Surveillance pictures show the men at the scene on the day of the thwarted hacking attack
A map released by the Dutch authorities shows how close the group managed to park their rental car to the OPCW headquarters, where chemical weapons are investigated
***
Read more at DailyMail.co.uk