Spy Bust Exposes Methods of Putin's GRU Military Hackers

(Bloomberg) -- The exposure of Russian espionage operations by Dutch, U.K. and U.S. authorities has opened a window into the sometimes sloppy tradecraft of the Kremlin’s GRU military-intelligence service.

For former KGB agent Vladimir Putin, it must make for painful reading.

Dutch intelligence caught four alleged Russian agents with specialist equipment for “close access” hacking of wifi networks that was hidden under a coat in the trunk of their hired Citroen C3 car parked next to the headquarters of the Organization for the Prohibition of Chemical Weapons in The Hague in April. The United Nations body was examining evidence of a nerve-agent attack in the U.K. in March that British officials have blamed on the Kremlin.

Dutch officials, who expelled the accused agents, found that one of the men had a receipt for a taxi that took him from a GRU barracks to the airport in Moscow on April 10, from where the four had flown to the Netherlands on diplomatic passports. Two of the passports had consecutive serial numbers, and the men were found with 20,000 euros and $20,000 in cash, Dutch officials said.

In Washington, U.S. prosecutors announced indictments of seven Russian military-intelligence operatives on charges of hacking and fraud against targets ranging from Westinghouse Electric Corp. to world anti-doping authorities who’d exposed state-backed cheating by Russian athletes. Three of the men were also charged in July for alleged cyber attacks in the 2016 U.S. election.

The coordinated announcements of alleged Kremlin espionage against the OPCW, as well as allegations that Russian agents sought to disrupt international investigations into sports doping and the 2014 downing of a passenger plane over Ukraine, add to spiraling tensions between the West and Moscow.

Sanctions Warning

The ruble weakened against the dollar after U.K. Foreign Secretary Jeremy Hunt told reporters in London that British officials plan to discuss with allies “what further sanctions should be imposed” on Russia. The U.K. and the U.S. have already imposed sanctions on Russia over the cases.

The Dutch Defense Ministry published copies of the passports of the four alleged agents expelled from the Netherlands, naming them as Oleg Sotnikov, 46, Aleksei Morenets, 41, Evgenii Serebriakov, 37, and Alexey Minin, 46.

The men were caught “in flagrante,” according to British government officials, who said the U.K. had played a supporting role in the operation. “For the GRU to get caught in this way would be considered a pretty bad day,” one official said, asking not to be identified because the matter is sensitive.

The Dutch announcement came just hours after the U.K. blamed the Kremlin for a spate of “reckless and indiscriminate” cyber attacks, including on the Democratic National Committee during the 2016 U.S. presidential campaign. The U.K.’s relations with Russia are at their worst since the height of the Cold War in the 1970s after Prime Minister Theresa May accused the Kremlin of responsibility for the nerve-agent attack on a former spy, Sergei Skripal.

‘Serious Harm’

The Dutch allegations against Russia are causing “serious harm” to bilateral relations, the Foreign Ministry in Moscow said in a website statement. Hacking accusations made by the Netherlands and the U.K. are part of an “orchestrated propaganda campaign against our country,” it said.

The OPCW announced on April 12 that a nerve agent of “high purity” was used to poison Skripal after it carried out a technical evaluation of evidence presented by British officials of the first chemical-weapon attack in Europe since World War II.

British police believe two GRU agents, using the aliases Alexander Petrov and Ruslan Boshirov, sprayed the weapons-grade nerve poison Novichok on a door handle at Skripal’s home in Salisbury, southern England. The attack left the former double-agent and his daughter, Yulia, critically ill. Salisbury resident Dawn Sturgess, 44, who was later exposed to the same nerve agent carried into the U.K. in a counterfeit perfume bottle, died in July.

Phone Data

Dutch officials said Thursday that data collected from the phones of the alleged agents apprehended outside the OPCW headquarters showed the devices had been used at or near the GRU barracks on Moscow’s Komsomolsky Prospect. A plastic shopping bag in the trunk of their car contained trash the men had swept from their hotel rooms, including empty beer cans and snack wrappers, to hide their trail, according to the officials.

Dutch agents who examined the laptop of one of the alleged spies found he’d used public wifi services in Kuala Lumpur, Malaysia, and Lausanne in Switzerland prior to the operation in The Hague. His internet search history showed he’d looked up the OPCW, while reconnaissance photos of the headquarters were found on the camera of another of the men.

MH17 Operation

“One of the Russian intelligence officers involved in this operation in the Netherlands was also actively involved in a GRU operation focusing on Malaysia’s investigation of the crash of Malaysia Airlines flight MH17,” Dutch Defense Minister Ank Bijleveld said at a briefing in The Hague. A joint investigation team in May said a BUK missile belonging to the Russian army was responsible for downing the passenger jet in eastern Ukraine, killing 298 people.

The expelled agents were also suspected of attempting to hack into an International Olympic Committee meeting in Lausanne on Moscow’s alleged state-sponsored doping program.

The U.S accused the seven operatives of working to undermine and retaliate against anti-doping organizations that had publicly exposed Russian-sponsored cheating, and to damage the reputation of clean athletes from other countries by falsely claiming they’d used banned drugs. Social and traditional media were flooded with the private medical information of more than 250 athletes from 30 countries in a way that inaccurately reflected or omitted the true purpose of that information, Assistant Attorney General John Demers said.

Hacking operations extended to the U.K., where the GRU attempted to “compromise Foreign and Commonwealth Office computer systems via a spearphishing attack” in March after the Salisbury attack, U.K. Ambassador to the Netherlands Peter Wilson told the briefing in The Hague.

Russia’s ‘Mess’

GRU hackers in Russia also targeted the computers of the U.K. Defense and Science Technology Laboratory at Porton Down in April and sent a spearphishing email in May that impersonated Swiss federal authorities to target OPCW employees and computers, he said.

“This was the GRU trying to clean up Russia’s own mess,” Wilson said.

Russia’s embassy to the Netherlands dismissed the allegations as “disinformation,” according to the state-run Tass news agency. Russia denies any involvement in the Skripal attack, which led to a mass expulsion of diplomats by the U.K. and its western allies and the imposition of sanctions by the U.S. President Putin this week denounced Skripal as a “scumbag” and a “traitor.”

“The Russians got caught with their equipment with people who were doing it and they have got to pay the piper,” U.S. Defense Secretary James Mattis told reporters at a NATO summit in Brussels. “They’re going to have to be held to account.”’

©2018 Bloomberg L.P.