The Kremlin’s botched cyber attack on the world’s chemical weapons watchdog to extract information on the Salisbury poisonings investigation is just the “tip of the iceberg.”
Britain’s security and intelligence services were braced for Kremlin retaliation after a botched cyber-attack by Russian spies on the world’s chemical weapons watchdog was exposed.
Four blundering agents from Vladimir Putin’s GRU military intelligence service were caught attempting to hack into the computer systems of the Organisation for the Prevention of Chemical Weapons using antennae hidden under a coat in a hire parked yards from its headquarters in the Netherlands.
Tracked down with help from MI6, the gang were snatched “in flagrante” stamping on mobile phones and other equipment in a panic-driven bid to hide their espionage activities after realising the operation had been compromised.
Whitehall insiders confirmed that, while the exposure was designed to deter rather than escalate the diplomatic cold war between Russia and the West, a GRU revenge strike against Britain’s security services was highly likely. “Anything could happen,” said one source.
All four agents, who had come to Europe with diplomatic passports granting them immunity from arrest, were immediately sent back to Moscow by Dutch authorities after their capture last April.
The British and Dutch governments revealed the brazen attack on the watchdog, which was analysing samples of the Novichock nerve agent deployed in Salisbury, yesterday to “shine a light” on the GRU’s international activities. Significant information about GRU plans to cause cyber mayhem was netted in the swoop.
Tens of thousands of agents could be involved in any counter operation from Russia, according to security experts.
Professor Anthony Glees, director at the Centre for Security and Intelligence Studies at The University of Buckingham, said: “We believe this top secret force may have as many as 80,000 personnel. It is far larger than it was in the days of the USSR.”
Tory MP Tom Tugendhat, chairman of the Commons Foreign Affairs Committee, said: “Putin’s corrupt greed has turned the GRU into an amateurish bunch of jokers.”
British and Dutch officials yesterday identified the four GRU agents as Aleksei Morenets, 41, Evgenii Serebriakov, 37, Oley Sotnikov, 46, and Alexey Valeryevich Minin, also 46. They were born in Murmanskya Olbast, Kursk, Ulyanovsk, and Perm Obast respectively according to the passports used to enter the Netherlands.
Officials identified Morenets and Serebriakov as cyber operators and Sotnikov and Minin as intelligence support agents responsible for logistics of the GRU operation.
They were linked to the GRU cyber warfare force APT28, which also operates under the codenames Fancy Bear and Sandworm.
Officials described the swoop as a humiliating setback for Putin’s spy network.
“For the GRU to get caught in this way would be considered to be a pretty bad day,” said one UK security official.
They suspect the operation was an attempt to obtain information to discredit the international investigation into the cause of the Salisbury attack.
“It’s hard to know their full intent as their operation failed but judging from their past form elsewhere discrediting the investigation could well have been their intention,” the security official added.
In April GRU agents, possibly from the same gang, attempted to hack into computers at Britain’s Defence Science and Technology Laboratory at Porton Down in Wiltshire, which led the probe into the Novichock poisoning.
Remote “spearphishing” hacking techniques over the internet were deployed in the attack on Porton Down in contrast to the “close access” assault deployed at The Hague.
The OPCW was also due to investigate evidence of a chemical weapons attack in the Syrian town of Douma at the time of the incident.
Evidence in the Dutch raid showed that two of the gang were planning to travel on to Switzerland, where OCPW laboratories are based.
Confirming the agents were stamping on their equipment when they were apprehended, one security official said: “They were caught in flagrante.”
Another official said “a size-12 boot” had been deployed in the panicky attempt to destroy the evidence.
A CCTV photo released by the Dutch Defence Intelligence and Security Service yesterday showed the four agents swaggering through Amsterdam’s Schipol Airport with suitcases and trolley bags after their arrival on April 10. They were also accompanied by an official from the Russian Embassy at the Hague.
Other photographs released the security service showed the hacking equipment stashed by gang in a Citroen C3 rented at Amsterdam Airport on their arrival three days earlier.
An antenna used for hacking into WiFi system connected to a 4G smartphone was found hidden under a black coat spread out in the back of the vehicle in the swoop by a Dutch counter-intelligence unit.
A computer, battery and transformer were also found in the car boot. Some of the equipment is thought to have been smuggled in from Moscow while the rest was bought in Europe.
Data from Serebriakov’s laptop showed a string of internet searches for information about the OPCW. It also contained a snap of the spy posing with a female acquaintance at the Olympic Games in Brazil two years ago. GRU agents are also known to have targeted international sporting bodies involved in athletic doping investigations.
Photos of the OPCW HQ and its surroundings taken on April 11 were found on Minim’s camera.
And a photo of the building taken from the window a room in the neighbouring Marriott Hotel where the gang stayed the following day was also found on the device.
Evidence that some of the gang’s phones were used at a GRU barracks in Moscow was also released.
Cash including 20,000 Euros and 20,000 US dollars was found among the gang’s kit.
Britain and its allies has stepped up counter espionage activities against the GRU since Theresa May confirmed its agents were almost certainly behind the Salisbury attack in a statement to MPs last month.
UK security agencies detecting a “spearphishing” onslaught on the Foreign Office’s computer system in March.
The Prime Minister, in a joint statement with her Dutch counterpart Mark Rutte, said: “We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU.
“This attempt to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates the GRU’s disregard for the global values and rules that keep us safe.
“Our action today reinforces the clear message from the international community: we will uphold the rules-based international system and defend international institutions from those that seek to do them harm.”
Foreign Secretary Jeremy Hunt said Russia could face further sanctions in the wake of “hard evidence” of the hacking.
Peter Wilson, the UK’s ambassador to the Netherlands, joined Dutch authorities in releasing the information in a joint news conference at The Hague.
He said the hacking attack happened when the “OPCW was working to independently verify the United Kingdom’s analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury”.
Mr Wilson also accused one of the GRU officers escorted out of the Netherlands of targeting the Malaysian investigation into the shooting down of flight MH17 over Ukraine in 2014, when more than 300 people travelling from Amsterdam to Kuala Lumpur died.
Last month, the OPCW confirmed the toxic chemical that killed Dawn Sturgess in Amesbury was the same nerve agent as that which poisoned Sergei and Yulia Skripal three months earlier.
UK authorities believe two GRUY agents, using the aliases Alexander Petrov and Ruslan Boshirov, smeared the highly toxic Novichok on a door handle at the Wiltshire home of Mr Skripal on March 4.
The attack left Mr Skripal and his daughter Yulia critically ill, and Ms Sturgess, 44, who was later exposed to the same nerve agent, died in July.