Russian agents hacked OPCW a week after Douma attack

Chemical weapons watchdog targeted from hire car parked next to hotel

In this image released and manipulated at source by the Dutch Defense Ministry, Thursday Oct. 4, 2018, four Russian officers of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, GRU, are escorted to their flight after being expelled from the Netherlands on April 13, 2018, for allegedly trying to hack into the U.N. chemical watchdog OPCW's network. The Dutch defense minister on Thursday Oct. 4, 2018, accused Russia's military intelligence unit of attempted cybercrimes targeting the U.N. chemical weapons watchdog and the investigation into the 2014 Malaysian Airlines crash over Ukraine.(Dutch Defense Ministry via AP)
Powered by automated translation

Russian agents were caught red-handed trying to hack the world’s chemical watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW) as its officials were investigating the April chemical weapons attack in Syria.

More than 70 people were killed in the attack by the Kremlin-backed Damascus government on Douma on April 7 this year. Just a week later on April 13, a team from Russia’s Main Intelligence Directorate, or GRU, was arrested during an attempt to breach the investigation.

In a coordinated set of announcements worldwide on Thursday, the Dutch government revealed how it had tracked the agents from the GRU headquarters to a rented car in a hotel car park next to the OPCW headquarters, America’s Justice Department indicted seven Russian operatives with hacking, while British and Australian officials presented evidence of “brazen” cyber intrusion by Russia’s espionage outfits.

The OPCW was not the only body investigating the Douma attack to be targeted, so was a Swiss laboratory in the town of Spiez that was verifying evidence from Syria plus the material taken from the scene in Salisbury, England, where Sergei Skirpal, the double agent, and his daughter Yulia, were made gravely ill by the use of the agent Novichok in an assassination plot.

“It’s not always clear why [the Russians] did the operation towards the OPCW because that does not show on their equipment,” said General Onno Eichelsheim, the head of Dutch military intelligence. “What I know is they were trying to target the OPCW networks in the period that they were investigating on the Skripals and on the Douma case.”

Hours later, the FBI said it was issuing wanted posters for seven men in a Russian hacking campaign that was launched in December 2014 and ran through May 2018 to target US and international companies and sporting bodies. Among the organisations targeted was the international anti-doping agencies after Russian athletes were exposed as drug cheats and ejected from the Olympics.

The Dutch revelations repeatedly tied the men, who were travelling on diplomatic passports and deported, to the GRU. One had a phone that was activated near its headquarters. Another had a taxi receipt for a trip from a GRU building to the airport. The men were named as Alexei Morenetz and Yevgeny Serebriakov, the main “cyber-operators”, as well as Oleg Sotnikov and Alexei Minin who were support staff. The three others named by the FBI, Ivan Yermakov, Dmitriy Badin and Artem Malyshev, had been identified by Robert Mueller's probe into Russian meddling in the 2016 US election earlier this year.

The team held by the Dutch allegedly traveled to the Netherlands on passports that were numbered sequentially arriving in the country on April 10.

"This attempt, to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates again the GRU's disregard for the global values and rules that keep us all safe," British Prime Minister Theresa May and Dutch counterpart Mark Rutte said in a joint statement.


Read more:

EU to crack down on online terrorism and cyber threats

Iranian diplomat accused of running web of spies across Europe

German spooks: Iran's growing cyber capabilities poses danger


Some of the equipment seized exposed the global footprint of the hacking activities, which involved working in proximity to Wifi systems, including hotel networks.

Peter Wilson, the British ambassador to the OPCW, said the laptops seized by the Dutch had been used in a succession of countries, including Brazil, Switzerland and Malaysia.

“The GRU can only succeed in the shadows. We are all agreed that where we see their malign activities, we must expose it to the light together.”

The equipment was used in Malaysia to target the investigation into the targeting of a MH-17 over rebel-held territory in eastern Ukraine in 2014, an incident that killed the 298 people on board. A Dutch-led international investigation has since concluded that the missile that brought down the Malaysian flight was controlled by a Russian army brigade.

Other information presented by Britain’s National Cyber Security Centre (NCSC) implicated with a “high confidence” the GRU as “almost certainly” responsible for the 2017 attacks, as well as others including the infamous targeting of the US Democratic Party ahead of the 2016 presidential election, two Russian media outlets, a small UK-based TV station and the Kiev metro were also targeted.

The GRU used names including Fancy Bear, Pawnstorm and Tsar Team to carry out the attacks, with the Kremlin ultimately responsible, the NCSC said. Officials said the revelations could force Russia to abandon its aggressive attacks on systems around the world.

“One of the strongest weapons we have against cyber attacks should be transparency,” said Peter Ricketts, a former British national security adviser. “It helps all around the world for people to be aware that there is this Russian military intelligence agency out there working against our interests.”

Corroboration for the claims poured in from world leaders and governments. Australian Prime Minister Scott Morrison and Foreign Minister Marise Payne issued a joint statement that Australian intelligence agencies agreed that GRU "is responsible for this pattern of malicious cyber activity." Canada said the Montreal-based World Anti-Doping Agency had been hacked and assessed with a “high-degree of confidence” that Russia was behind the intrusions.

Russia however mocked the claims and retorted that the British spy agencies were carried away by “big fantasies”.

Jim Mattis, the US Defence Secretary, said America would extend cyber security cooperation with Nato countries to thwart the Russian threat. Jens Stoltenberg, the Nato Secretary General, said its members had agreed to back up those targeted by the Kremlin’s “blatant threat”.

"Russia must stop its reckless pattern of behaviour, including the use of force against its neighbours, attempted interference in election processes, and widespread disinformation campaigns," he said.

The Salisbury attack left Skripal and his daughter Yulia critically ill and resulted in the death of local woman Dawn Sturgess, who was exposed to contaminated bottle.

Russia denies any involvement in the Skripal attack, which led to a mass expulsion of diplomats from Europe and the US, but President Vladimir Putin denounced his former colleague as a “scumbag” and a “traitor”.