Britain, Holland and US spearhead fightback against Putin's cyber war as they reveal how Moscow's web of hackers hit high-profile targets across the globe - including chemical weapons watchdog probing Salisbury attack
- US charges 7 Russian spies with crimes including hacking, identity theft and fraud using crypto-currencies
- British cyber security group accuses Russia's GRU of at least four hacking attacks around the world
- Dutch authorities lift lid on operation to hack chemical weapons HQ in Netherlands in April
- Men were picked up with a cache of computer equipment, linking them to other incidents, and sent home
- US has released wanted poster featuring four Hague hackers and three others linked to anti-doping hacks
- GRU operatives - working under what US identified as Unit 26165 - created fake 'hacktivist' Fancy Bears group
- Russia faces storm of hacking allegations, but denies claims, calling latest evidence 'big fantasies'
Russian hackers waged a four-year disinformation campaign against the west in which they obtained sensitive information from weapons watchdogs and anti-doping sports bodies, it emerged today.
Seven Kremlin agents working for the GRU are accused of hacking the records of 250 athletes from 30 countries as they travelled across the globe using the intelligence obtained to spread fake news designed to bolster President Vladimir Putin's position on the world stage.
The targets included FIFA, the World Anti-Doping Agency and the 2016 US presidential race that resulted in the election of Donald Trump.
Spies also attempted to hack computers at the UK Foreign Office and the Porton Down military research facility days after assassins tried to murder the Skripals in Salisbury. The unit - nicknamed 'Sandworm' - tried and failed to infiltrate UK IT systems as part of a series of attacks across Europe this year.
American intelligence identified the spies as working for the GRU's Unit 26165, which it has emerged created the fake 'hacktivist' group Fancy Bears to disseminate the material along with misleading statements designed to exonerate Russia of doping allegations and instead level them at the US.
And when Dutch authorities caught four of the suspects in The Hague trying to hack the Organisation for the Prevention of Chemical Weapons (OPCW) as it investigated the Salisbury novichok attack, they had to send them back to Russia on account of their diplomatic passports. The OPCW was also due to conduct analysis of the chemical weapons attack in Douma on April 7.
But despite their 'sophisticated' operation from 2014-2018, the bungling spies were today revealed to have left a trail including a taxi receipt for a journey from GRU headquarters to Moscow's Sheremetyevo airport the very day that four agents arrived in Amsterdam. One of the group even kept selfies from previous operations including one taken at the 2016 Olympics in Brazil where Russian athletes' doping samples were tampered with and US athletes' medical records leaked.
The US today charged seven Russian military intelligence officers over hacking attacks around the world. The group are accused of a range of attacks on institutions and individuals around the world. The attacks are linked to Russian attempts to spy on investigations into doping in sport, politics in the Ukraine and the US, and the poisoning of Sergei Skripal in the UK
Dutch authorities released images of four Russian agents who tried to hack into the global chemical weapons watchdog a month after the Salisbury novichok attack. CCTV shows them when they arrived in the Netherlands
CCTV images show Alexey Minin (left), while Oleg Sotnikov (right) is pictured on a photo recovered from a phone. They are both alleged to be members of the GRU's hacking squad, who were unmasked today
After the Dutch named four men it caught hacking The Hague, US authorities released images of Artem Malyshev, 30, Ivan Yermakov, 32, and Dmitriy Badin, 27 (pictured, left to right), who it named as GRU hackers
Russian president Vladimir Putin waves to spectators prior to boarding a car after his arrival in New Delhi as the GRU's campaign of cyber warfare against the west was today exposed
These images, made available by the Dutch Ministry of Defence today, are said to show the hacking equipment that four Russian intelligence officers used for a cyber attack on the OPCW
Today the UK accused Russia's GRU intelligence agency of being behind hacks on the World Anti-Doping Agency (Wada), transport systems in Ukraine and democratic elections, such as the 2016 US presidential race. Britain has warned Russia it could face new sanctions, with foreign secretary Jeremy Hunt saying the disclosures were 'hard evidence' of the activities of the 'unacceptable' of Russian intelligence.
Then, Dutch authorities revealed they had caught a team of Kremlin agents rigging up computers, phones and an antenna in the boot of a car to try and hack into the global chemical weapons watchdog in The Hague.
The spies were apprehended after setting up at the Marriott Hotel next door, with general manager Vincent Pahlplatz saying the spies were 'no James Bond'.
This afternoon, the US Justice Department announced it has charged seven Russian military intelligence officers with hacking anti-doping agencies and other organizations.
The Kremlin was left trying to hold back a growing flood of evidence of its hacking activities around the world, spread over four years.
The US indictment lists Russian nationals: Aleksei Morenets, 41, Evgenii Serebriakov, 37, Ivan Yermakov, 32, Artem Malyshev, 30, and Dmitriy Badin, 27, from the GRU's Unit 26165, and Oleg Sotnikov, 46, and Alexey Minin, 46, who were also GRU officers.
The FBI indictment lists a series of allegations against the seven wanted men. It says:
- As early as November 2014, Yermakov performed reconnaissance of Westinghouse Electric Company's (WEC) in Pennsylvania, a company involved in the supply of power to the Ukraine.
- In July 2016, Yermakov and Malyshev used 'spoofed domains' to unleash 'spearphishing' attacks on WADA and United States Anti-Doping Agency (USADA) employees.
- Also in 2016, Morenets and Serebriakov, with the support of Yermakov, went to Rio to target wifi networks used by anti-doping officials at the Olympic Games.
- In mid-September 2016, Morenets and Serebriakov compromised the wifi network of a hotel hosting a WADA anti-doping conference in Lausanne, Switzerland.
- In December 2016 and January 2017, the group successfully compromised the networks of International Association of Athletics Federations (IAAF) and football's governing body FIFA, targeting computers used by each organization's top anti-doping official. Among the data stolen from officials were anti-doping policies, lab results, and medical reports.
- In April 2018, Morenets, Serebriakov, Sotnikov, and Minin travelled to The Hague to try and hack into the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) during the investigation in the Salisbury novichok attack. The case against these four was also set out by the Dutch Defence ministry today.
It came after the British National Cyber Security Centre (NCSC) said the GRU were behind at least four hacking attacks around the world:
- A hacking strike on Wada in August 2017.
- A 'BadRabbit' attack in October 2017 that caused disruption to the Kiev metro and Odessa airport in the Ukraine.
- The NCSC also stated that the GRU was 'almost certainly' to blame for hacking the Democratic National Committee during the US presidential election in 2016.
- The agency pointed the finger at the GRU for accessing email accounts at a small UK-based TV station in 2015.
As Russia's hacking activities around the world were exposed, Dutch authorities detailed how they caught four GRU agents in The Hague, trying to hack into the chemical weapons watchdog's computers at a time the body was investigate the Sergei Skripal novichok poisoning in Salisbury
Surveillance footage shows the moment Dutch intelligence officers descended on the scene and caught the four men outside the chemical weapons agency
A briefing in The Hague was shown pictures of each of the men's passports. Alexey Minin, from Perm, to the north west of Moscow, was named as one of the men
One of the men was named as Evgeny Serebriakov and his passport of photo was released
Another of the men was named as Oleg Sotnikov, said to have been born in Oeljanovsk
The passport numbers of the men were released, including Aleksei Morenets, from Murmansk
The FBI later released this copy of the passport of Dimitry Badin who is accused of hacking related to the 2016 US elections
The three governments' public expose of the operation will reignite hostilities between Putin's regime and the West, following tit-for-tat diplomatic expulsions in the wake of the Salisbury attack.
Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the new hacking accusations from the Netherlands and UK as 'big fantasies'.
The Dutch Defence Ministry said the team of GRU officers - travelling on official Russian passports - entered the Netherlands on April 10, just a month after the Salisbury nerve agent attack.
Three days later, they parked a car carrying specialist hacking equipment outside the headquarters of the OPCW in the The Hague, where the novichok attack was being investigated.
However, before they could initiate the hacking attack, Dutch counter-intelligence officers descended on the vehicle and seized the men, who were then kicked out of the country.
The hacking attempt - described as a 'close access' attack due to the attempt by the group to get close to the building - followed a longer-range earlier 'spearphishing attack' on the OPCW headquarters.
A laptop belonging to one of the four Hague hackers was linked to Brazil, Switzerland and Malaysia, with the activities in Malaysia related to the investigation into the 2014 shooting down of flight MH17 over Ukraine, Dutch Defence Minister Ank Bijleveld told a news conference.
At a joint press conference in The Hague, British ambassador to the Netherlands Peter Wilson said: 'This disruption happened in April. Around that time the OPCW was working to independently verify the United Kingdom's analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury.'
In a joint statement Theresa May and Dutch prime minister Mark Rutte said: 'We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU.
'This attempt to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates the GRU's disregard for the global values and rules that keep us safe.
'Our action today reinforces the clear message from the international community: we will uphold the rules-based international system and defend international institutions from those that seek to do them harm.'
Meanwhile NATO Secretary General Jens Stoltenberg warned Russia to halt its 'reckless' behavior amid a series of global cyberattacks blamed on Moscow.
Surveillance pictures show the men at the scene on the day of the thwarted hacking attack
A map released by the Dutch authorities shows how close the group managed to park their rental car to the OPCW headquarters, where chemical weapons are investigated
Pictures show the cache of equipment seized from the men. They attempted to smash up some of the phones (inset) when they realised authorities were on to them
In a statement issued during a meeting of NATO defense ministers today, Mr Stoltenberg said: 'NATO allies stand in solidarity with the decision by the Dutch and British governments to call out Russia on its blatant attempts to undermine international law and institutions.'
He said that 'Russia must stop its reckless pattern of behavior, including the use of force against its neighbors, attempted interference in election processes, and widespread disinformation campaigns.'
The 29 NATO allies are discussing cybersecurity at talks in Brussels, with the US, Britain, Denmark and the Netherlands due to announce that they will provide offensive cyber-capabilities for use by NATO.
The revelations will further strain relations with Russia after Britain blamed Moscow for the nerve agent attack in Salisbury last March which left one person dead.
Foreign Secretary Jeremy Hunt said Russia could face further sanctions in the wake of the latest 'hard evidence'.
Mr Hunt said: 'The first thing we are doing is to expose it and the words matter because there are countries all over the world that are hearing both sides of the story - they're hearing what the Russians say as well.
'This is the evidence that what we are getting from Russia is fake news, and here is the hard evidence of Russian military activity.
'But of course it will go beyond that, and that is why we will be discussing with our allies what further sanctions should be imposed.
'We will also be discussing how we need, working with our friends and allies, to counter this pattern of cyber attacks, which is the new type of attack that the whole world is having to deal with.'
Dutch authorities released images of the huge amount the cash found on the men. Sotnikov had 20,000 euros and 20,000 dollars on him
The men took their own rubbish - including several beer cans - out of their hotel room, presumably because they were concerned about an investigation
Incredibly, a taxi receipt found on the one of the men named the street in Moscow where the GRU has its headquarters
UK Defence Secretary Gavin Williamson, attending a Nato summit in Brussels, said Moscow was targeting organisations with no military value.
He told Sky News: 'What we are seeing is that Russia is quite willing to use such weapons such as cyber attacks against these organisations, and here at Nato we stand shoulder to shoulder with our allies in unity against such actions.
'What we have made clear is that we are not going to be backward leaning. We are going to actually make it clear where Russia acts that we are going to be exposing that action.
'And we believe that by doing so this will act as a disincentive for acting in such a way in the future.'
Details were revealed on Thursday after the UK Government accused the GRU of a wave of other cyber attacks across the globe.
He added: 'The Russian government needs to know that if they flout international law in this way, there will be consequences, they will be exposed, and people will see the Russian government for what they are; which is an organisation that is trying to foster instability throughout the world and that is totally unacceptable.'
The NCSC associated four new attacks with the GRU, on top of previous strikes believed to have been conducted by Russian intelligence.
Dutch Minister of Defence Ank Bijleveld, director of Netherlands Defence Intelligence Onno Eichelsheim and British Ambassador to the Netherlands Peter Wilson revealed details of the thwarted hacking attempt at a briefing in The Hague today
Russia's GRU intelligence agency targeted the global chemical weapons watchdog, the OPCW, whose headquarters are in The Hague, Dutch authorities revealed today
Security expert Hamish de Bretton-Gordon said the cyber attacks in The Hague and at Porton Down showed Putin was bent on disrupting the investigation into the novichok attack in Salisbury.
Mr de Bretton-Gordon said: 'It shows how the Russians did everything they could to undermine and disrupt the novichok investigation and try to make it fall apart. It is completely cynical and they didn't care at all'.
He added: 'Britain asked the OPCW to help and then soon afterwards Russian agents target them in The Hague and in Switzerland. It is no coincidence'.
The intervention by Britain, The Netherlands and the US today will put pressure on Putin to curb his cyber warfare.
But his spies' failure to kill Sergei Skripal and being caught trying to hack the OPCW 'will hurt him more', Mr de Bretton-Gordon said.
He added: 'The British secret services may have considered the GRU as equals but the past few months have shown they are amateurish and the West is now one step ahead of them. Putin will not like that and there will be a lot of anger in Moscow about some of these recent bungled missions'.
Russian spies launched cyber attack from boot of rented Citroen using 'basic' hacking method... but left trail of clues including taxi receipts and cans of Heineken in an Aldi bag
The GRU used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in its botched cyber attack on the global chemical weapons watchdog, it was revealed today.
Using a technique from the early days of Wi-Fi, they attempted to break into the Organisation for the Prohibition of Chemical Weapons's network in The Hague by tricking staff into logging into their fake router.
They parked the car at a local hotel and disguised the Wi-Fi antenna hidden inside the router, so staff would login. The laptop then stole their username and password, allowing the agents to get into the OPCW's network.
The boot of a car filled with hacking equipment in the Citroen rental car which was being used by the four Russian officers
Authorities released a picture of the car which was rigged up with hacking equipment
Through the network they could spy on operations within the building, including investigations into the Salisbury Novichok attack.
It also emerged today that Russia's bungling GRU agents left a trail of clues that helped authorities link them to the string of cyber attacks.
Among the items revealed at an extraordinary briefing in The Hague today was a mobile phone one of the men was caught with having been activated near the Russian military intelligence's headquarters in Moscow.
Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport on April 10, the day that the four agents later arrived at Amsterdam Schiphol Airport.
The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers.
On April 11, they hired a Citroen C3 and scouted the area around the OPCW - all the time being watched by Dutch intelligence.
The agents, who stayed at a Marriott Hotel next to the Organisation for the Prohibition of Chemical Weapons in The Hague, were also found to have used public WiFi hotspots to conduct their operations in the Netherlands.
And they were photographed performed reconnaissance of the OPCW headquarters, where the nerve agent sample was being independently verified.
One of the many phones belonging to four Russian GRU officers is seen after they tried to destroy it when they were arrested
When leaving The Hague, the men took all the rubbish from their room - including empty cans of Heineken beer and what appeared to be an empty cold meat packet in an Aldi bag - in a further bid to cover their tracks.
On April 13, the GRU officers were said to have parked a rental car with specialist hacking equipment outside the OPCW's headquarters to breach its systems – but British and Dutch intelligence thwarted the operation.
And when the men were arrested, they were caught with €20,000 (£17,000 or $23,025) and $20,000 (£15,000) in cash. The group also tried - and failed - to destroy a mobile phone, and they were caught with incriminating laptops.
A researcher has revealed that the rudimentary technique they used to hack into the OPCW is common - though it has never been used in such a high-profile case.
Professor Alan Woodward, a computer scientist at the University of Surrey, said the Russians likely used an ordinary laptop attached to a directional antenna, which was pointed at the OPCW building.
He said unlike more common remote hacking techniques, the GRU agents needed to park close to the site in order for the WiFi signal to be strong enough.
Looking at the equipment in the boot of the car it appears they were attempting to intercept login credentials as people tried to connect to the WiFi network at OPCW, Professor Woodward said.
'A classic way of doing this is to set yourself up as what is known as an 'evil access point', he told MailOnline. 'You pretend to be the network they are attempting to connect to and steal their login details as their computer or phone tries to connect.'
The cyber security expert said it was unusual for high level intelligence officials to use such a rudimentary form of attack. '[The technique] has been around as long as WiFi has,' he told MailOnline.
'Attacks have evolved as security in WiFi has evolved. But it's so basic that most enterprise style organisations are well protected. Hence the high profile cases tend to be from some more remote source.'
Foreign Office and computers at Porton Down research facility were hacked by Russian spies from GRU cyber unit 'Sandworm' in wake of Salisbury novichok attack
Russian spies attempted to hack computers at the Foreign Office and the Porton Down military research facility days after assassins tried to murder the Skripals in Salisbury.
Moscow's feared GRU cyber unit nicknamed 'Sandworm' tried and failed to infiltrate UK IT systems as part of a series of attacks across Europe this year.
They carried out an unsuccessful 'spearfishing' attack on the Foreign Office in March as the police, MI5 and MI6 were trying to find out who attacked Sergei and Yulia Skripal with novichok.
At the same time they targeted computers at Porton Down in April, Britain's top military research facility where experts were testing for the nerve agent.
Computers at Porton Down were targeted by Russian spies at a time when British experts inside were testing for novichok
British intelligence helped thwart the operation, which was launched in April, a month after the Salisbury Novichok poisoning.
Details were revealed on Thursday after the UK Government accused the GRU of a wave of other cyber attacks across the globe.
At a press conference in The Hague, British ambassador to the Netherlands Peter Wilson said: 'The disruption of this attempted attack on the OPCW was down to the expertise and the professionalism of the Dutch security services in partnership with the United Kingdom.
'The OPCW is a respected international organisation which is working to rid the world of chemical weapons.
'Hostile action against it demonstrates complete disregard for this vital mission.'
Conservative MP Tom Tugendhat, chairman of the UK's Commons Foreign Affairs Committee, tweeted: 'The catalogue of evidence shows why the Dutch are excellent partners and that the decades of theft have stripped Russia's intelligence of the skills they once had. Putin's corrupt greed has turned the GRU into an amateurish bunch of jokers.'
Dutch authorities released a diagram showing how the hacking equipment was set up in the boot of the car. Right: Some of the haul of electronic kit found in the group's possession
Russia's GRU intelligence agency targeted the global chemical weapons watchdog, the OPCW, whose headquarters are in The Hague, Dutch authorities revealed today
Russia 'interfered in three elections' as it targeted Britain, Macedonia, U.S. and Ukraine in string of 'brazen' cyber attacks aimed at destabilising democracies around the world
Russian spies launched a global cyber war to interfere with three elections, the Olympics, the MH17 investigation and the hunt for the men behind the Skripal attack in Salisbury, it was revealed today.
The Kremlin has been accused of using its agents to 'foster instability' in democracies around the world as their operations over the past three years were laid bare.
Targets included the metro and airports in Ukraine, police in Malaysia investigating claims the Russians shot down MH17 killing 300 passengers and even the emails of a small UK TV station.
Russian president Vladimir Putin appeared untroubled the growing storm over Russian hacking as he met India's Prime Minister Narendra Modi in New Delhi today
Their hacking missions were inadvertently revealed by the four bungling spies caught trying to hack into computers used by chemical weapons inspectors investigating Russian attacks in Salisbury and Syria at their Dutch headquarters.
Cyber expert Evgenii Serebriakov's laptop was seized at The Hague and revealed he kept selfies from previous operations including at the 2016 Olympics in Brazil where Russian athletes' doping samples were tampered with and US athletes' medical records leaked.
His laptop also linked the men to cyber attacks in Switzerland, America, Denmark and Germany.
Two of the officers were planning to travel on to Switzerland where the OPCW - which was at the time investigating the Salisbury attack and a suspected chemical weapons attack in Syria - has laboratories.
The National Cyber Security Centre (NCSC) has said a number of hackers known to have launched attacks have been linked to the GRU.
The NCSC associated four new attacks with the GRU, on top of previous strikes believed to have been conducted by Russian intelligence.
Among targets of the GRU attacks were the World Anti-Doping Agency (Wada), transport systems in Ukraine, and democratic elections, such as the 2016 US presidential race, according to the NCSC.
The centre said it was 'almost certainly' the GRU behind a 'BadRabbit' attack in October 2017 that caused disruption to the Kiev metro, Odessa airport and Russia's central bank.
Britain's cyber security chiefs say they have 'high confidence' Russian intelligence was responsible for a strike on Wada in August 2017.
The NCSC also said the GRU was 'almost certainly' to blame for hacking the Democratic National Committee during the US presidential election in 2016.
And the agency pointed the finger at the GRU for accessing email accounts at a small UK-based TV station in 2015.
The hackers were planning to travel on to the Spiez Laboratory, where the OPCW was studying chemical weapons
Most watched News videos
- Terrifying moment driver overtakes van and narrowly avoids crash
- Russian plane spiralling out of control crashes in sea in Crimea
- Camilla hands out gifts at Royal Maundy ceremony on behalf of King
- Queen Camilla greets children after traditional Maundy service
- Starmer and Rayner embrace as they launch election campaign
- Three men seen running out of Beckenham station after knife attack
- British man fighting for Putin posts video from Russia online
- 'Satan took over me': Hamas terrorist confesses of raping woman
- Hilarious moment King's Guard shout 'make way' at pigeons in London
- Tourist is filmed napping in his tent on the beach with a crocodile
- Police carry slingshots to defend themselves against crazed monkeys
- Police tape off Kennington station after 'multiple stabbings'
Actually, Putin's spies aren't very good are they,...
by John H 2059