Western governments mounted an unprecedented and coordinated fightback Thursday against “brazen” attempts by Russia to meddle in international affairs, publicly unmasking alleged intelligence agents and blaming Moscow for a series of audacious cyberattacks.
The Dutch government accused Russia’s military intelligence agency, the GRU, of targeting the world’s chemical weapons watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), through a foiled cyber operation.
Hours earlier, Britain, backed by close intelligence allies Australia and New Zealand, pointed the finger at the GRU for carrying out a worldwide campaign of “malicious” cyberattacks, including the hacking of the US Democratic National Committee in 2016.
The US Justice Department, meanwhile, announced criminal charges against seven Russian intelligence officers, accusing them in a sprawling indictment of hacking, wire fraud, identity theft and money laundering as part of an effort to distract from Russia’s state-sponsored sports doping program.
Four of the names given in the US indictment match those given by Dutch authorities in connection with the alleged plot against the OPCW.
The choreographed announcements by Western allies amounted to a significant escalation of tensions with Moscow.
“The GRU has interfered in free elections and pursued a hostile campaign of cyberattacks,” said Peter Wilson, the British ambassador to the Netherlands. “It is an aggressive, well-funded body of the Russian state. It can no longer be allowed to act across the world… with apparent immunity.”
Russia must know there is “a red line” and that “if they try to intervene in the democratic processes of other countries, they will be exposed and there will be consequences,” UK Foreign Secretary Jeremy Hunt said.
NATO Secretary General Jens Stoltenberg said its members “stand in solidarity with the decision by the Dutch and British governments to call out Russia on its blatant attempts to undermine international law and institutions,” and that the alliance would continue to strengthen its defenses against cyber threats.
The Dutch operation
Dutch officials gave unprecedented details as they outlined the alleged Russian operation at a joint Dutch-UK government news conference in The Hague.
Describing it as “very worrying,” Bijleveld-Schouten said four Russian military intelligence officers were expelled on April 13, the same day the plot targeting the OPCW was detected.
They left belongings behind, she said, that also enabled the Dutch to discover that one of the agents’ laptops had made connections to Brazil, Switzerland and Malaysia, trying to interfere with the investigation into the downing of Malaysia Airlines Flight 17 in eastern Ukraine in 2014.
The head of Dutch counterintelligence, Maj. Gen. Onno Eichelsheim, named the four alleged Russian officers as Aleksei Morenets and Evgenii Serebriakov — who had consecutive passport numbers, he said — Oleg Sotnikov and Alexey Minin.
The alleged agents were traveling on diplomatic passports, Eichelsheim said. One of them, Morenets, “had a taxi receipt on him … from the location Nesvizkhskiy Pereulok to the airport in Moscow,” he said. “That’s the road that borders … the GRU.”
Russia’s embassy in the UK dismissed Britain’s claims that Moscow was behind a string of global cyberattacks as “crude disinformation” aimed at confusing public opinion.
“This statement is reckless. It has become a tradition for such claims to lack any evidence. It is yet another element of the anti-Russian campaign by the UK government,” it said in a statement.
“By the way, it is hardly a coincidence that these accusations appear exactly at the time of NATO defense ministers meeting in Brussels and announcements of creating special cyber attack military units in several Western countries.”
‘Aware of security’
Addressing reporters, Eichelsheim, the Dutch counterintelligence head, gave a detailed description of what the four alleged GRU officers were doing when their operation was disrupted.
The four agents arrived in the Netherlands on April 10, rented a car the following day, and parked it in a hotel parking lot as close as possible to the OPCW headquarters in The Hague, Eichelsheim said.
“They were doing some exploration work for a close-access hack operation,” he said.
“We know for sure they were not on holiday in the Netherlands. They had numerous telephones on them, different sizes, different makes. They had quite a few on them personally,” he said. “Morenets tried to destroy the phone, or at least break the phone, when the operation was destroyed … he did not succeed completely.”
Sotnikov had a large amount of cash on him: 20,000 euros and $20,000, Eichelsheim said. “That is not an amount I carry on holiday,” he said.
“They were very aware of security,” the Dutch official said, adding that they took garbage out of their hotel rooms.
“In the boot of the Citron C3 (car they rented), we recognized high-value, high-grade equipment to hack Wi-Fi channels,” he said. “The main element is of course the antenna … that needs to access the network, in this case the network of the OPCW. The antenna aimed towards the OPCW.”
A battery to boost the power of their equipment was bought on April 11. “This battery was active in the back of this car at the Marriott hotel,” Eichelsheim said.
“That caused an immediate threat to the OPCW network,” he said.
The four alleged agents planned to travel next to an OPCW-accredited Swiss laboratory in Spiez, Bern, that does research into chemical weapons, Eichelsheim said. They had bought train tickets for April 17 from the Dutch city of Utrecht to Switzerland, he said, but did not get there because their operation was disrupted.
Eichelsheim said his service’s actions had prevented serious damage to the OPCW.
“We must not forget that at that time the OPCW was investigating the Skripals and the chemical attack in Douma,” he added, referring to attacks in Salisbury, England, and Syria respectively.
Britain has blamed the GRU for the poisoning of Russian former double agent Sergei Skripal and his daughter Yulia with a military-grade nerve agent in Salisbury on March 4.
The Kremlin has consistently dismissed official British allegations.
Anti-doping agencies targeted
The US indictment named the seven defendants, all said to be Russian nationals and residents, as Aleksei Morenets, 41; Evgenii Serebriakov, 37; Ivan Yermakov, 32; Artem Malyshev, 30; Dmitriy Badin, 27; Oleg Sotnikov, 46; and Alexey Minin, 46.
US officials allege that Yermakov, Malyshev, Badin and others would often use spearphishing emails, proxy servers, malware and fictitious personas as they targeted their victims.
“When the conspirators’ remote hacking efforts failed to capture log-in credentials, or if the accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, teams of GRU technical intelligence officers, including Morenets, Serebriakov, Sotnikov, and Minin, traveled to locations around the world where targets were physically located,” the indictment said.
If their hacking efforts — made using “specialized equipment” — were successful, the “close access teams” would then transfer access to conspirators in Russia for exploitation, it said.
The victims included anti-doping agencies and officials, sporting federations and nearly 250 athletes, the indictment said. The GRU also targeted others including the Westinghouse Electric Corporation, a nuclear energy company in Pennsylvania, it added.
GRU hackers blamed
In statements Thursday, British, Australian and New Zealand authorities attributed four high-profile cyberattacks to GRU-backed hackers. The attacks targeted four sectors that impact people’s daily lives — democracy, transport, media and sport. They were:
The Bad Rabbit ransomware attack in 2017 spread through Russia and Ukraine around the world. Ransomware attacks involve threatening a user’s files or computer access in exchange for a ransom.
In the case of Bad Rabbit, the hackers disguised the ransomware as an update to Adobe software before locking down computers and demanding money for people to get their files back.
Most victims were located in Russia, but several cybersecurity firms identified attacks linked to Bad Rabbit in Turkey, Germany, Bulgaria, Japan, South Korea and the United States.
World Anti-Doping Agency hack
The WADA attack involved the release of Therapeutic Use Exemptions (TUE) for sports stars including American four-time Olympic gold medalist Simone Biles as well as tennis sisters Venus and Serena Williams.
At the time, WADA President Craig Reedie said that the hacking was clearly a retaliatory attack after 118 of Russia’s athletes were banned from competing at the Rio 2016 Olympic Games following revelations of “state-sponsored” doping.
All three countries said they had determined Russia hacked the Democratic National Convention ahead of the 2016 presidential election. That hack led to the release of a batch of private emails and notes, including many that belonged to Hillary Clinton’s campaign manager, John Podesta.
In the months following the cyberattack, the US intelligence community concluded that Russia did in fact attempt to interfere in the 2016 presidential elections, and top national security officials said in August that Russia is continuing to pursue similar efforts.
TV station attack
The statements accused Russia of stealing content and illicitly accessing email accounts from a small UK-based TV station in July and August 2015. The station was not named.