Dutch security services expel Russian spies over plot targeting chemical weapons watchdog

UK intelligence officials claim Russia's GRU military intelligence agency was also behind attacks targeting Porton Down and the Foreign Office

Lizzie Dearden,Joe Watts
Thursday 04 October 2018 12:19 BST
Comments
Russia cyber attacks: UK ambassador to the Netherlands praises Dutch intelligence services

Russian spies have launched a series of cyberattacks targeting British authorities and chemical weapons investigators following the Salisbury attack, it has been revealed.

The GRU military intelligence agency allegedly tried to strike the Porton Down defence laboratory and Foreign Office following the poisoning of Sergei Skripal in March.

In April, four Russians were arrested while attempting to launch a major “close access” cyberattack against the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague.

Dutch investigators said the spies also intended to travel onwards to its accredited Spiez laboratory in Switzerland, which was testing novichok samples from Salisbury at the time.

Prime minister Theresa May and Dutch PM Mark Rutte condemned Russia’s actions in a joint statement, accusing Moscow of showing a “disregard for the global values and rules that keep us all safe”.

The Kremlin dismissed the fresh allegations as “fantasies” after denying any involvement in the Salisbury poisoning.

At briefings on Thursday, Whitehall officials confirmed British intelligence helped to thwart the operation against the OPCW.

The Russian men taken into custody travelled under the names Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov, Oleg Mikhaylovich Sotnikov and Alexey Valeryevich Minin.

They had arrived in The Hague three days earlier on diplomatic passports and it is unclear whether they were using aliases.

Two of the passports – for the two “cyber operators” involved – were issued on the same day in April 2017 and have numbers just one digit apart.

The two GRU assassins who poisoned Mr Skripal in Salisbury were found to be travelling on fake passports that were three digits apart.

The men rented a Citroen C3, with a spacious boot, in Minin’s name to undertake their operation before going to their hotel.

Then on 13 April – the same day Donald Trump gave a press conference on US air strikes against Syria – they travelled in the car to OPCW headquarters, just off Johan de Wittlaan street in The Hague.

Pictures show that they parked outside the perimeter fence and opened the boot to use a computer, powered by a portable battery that had been bought in the Netherlands and connected to a wifi antenna which they hid from view under a coat.

As Dutch officers moved in, one of the men attempted to destroy some of the equipment but failed, leaving a computer and phones which revealed a sizeable amount of extra intelligence.

The men had cleaned out their hotel room, taking rubbish and any other items with them that might somehow allow counter-espionage agents to track them.

But once they were arrested they were escorted to the airport and put on a plane back to Russia, with UK officials explaining this would have been a decision by the Dutch government.

Russian passports belonging to four GRU officers who tried to hack the global chemical weapons watchdog

The British ambassador to the Netherlands, Peter Wilson, said the GRU officers stopped in the Hague had planned to travel onwards to an OPCW-approved laboratory in Speiz, Switzerland, which was testing Skripal samples.

At the same time, the OPCW was also analysing the substance used in a chemical attack on the Syrian rebel stronghold of Douma.

The watchdog later found chlorine was used in the Syrian incident, which US, British and French authorities attributed to Vladimir Putin’s ally Bashar al-Assad.

A spokesperson for the OPCW thanked security services involved in thwarting the attack and said it takes the security of its information systems and networks “very seriously”.

“Since early 2018, the organisation has observed increased cyber-related activities,” a spokesperson said. ”The OPCW technical secretariat has undertaken measures to mitigate them.”

Speaking of the attempted attack, Mr Wilson said: “This was not an isolated act.

“The unit involved, known in the Russian military as Unit 26165, has sent officers around the world to conduct brazen close-access cyber-operations.”

Equipment found on the Russian spies who allegedly tried to hack the OPCW

Officials also revealed that a GRU linked group called “Sandworm” had attempted to compromise Foreign Office and Porton Down computer systems immediately after the Salisbury poisoning in March.

They said that because the “spear phishing” attack, where hackers attempt to fool recipients into opening malicious emails by posing as someone else, did not work they are unsure what the Russians wanted to do.

Other attacks have been aimed at intercepting and monitoring communications, gaining information or disrupting systems and operations.

Among the men arrested in The Hague was one officer accused of conducting “malign activity” targeting Malaysian institutions investigating the downing of flight MH17 by rebels supplied with a Russian missile system in Ukraine.

Mr Wilson said another of the GRU officers arrested in the Hague had also previously visited Lausanne, Switzerland, in September 2016.

They connected to wifi in a hotel where a World Anti-Doping Agency conference was taking place, including Olympic committee officials who became victims of a cyberattack.

Putin calls Sergei Skripal a 'traitor' and a 'scumbag' in Moscow remarks

Malware from another GRU linked group, APT28, compromised an official’s laptop, the hotel’s system and then the IP addresses of the International Olympic Committee.

Then in May, Russian hackers sent emails impersonating Swiss federal authorities to OPCW employees in an effort to compromise their systems.

The US Justice Department charged seven Russian military intelligence officers with hacking anti-doping agencies and other organisations later on Thursday.

The indictment said the GRU targeted victims who had publicly supported a ban on Russian athletes in international sport competitions and condemned Russia’s state-sponsored athlete doping programme.

Prosecutors said the Russians also targeted a Pennsylvania-based nuclear energy company.

Following the same pattern seen internationally, the hacking was often conducted remotely and officers would only launch “close-access” operations in person if that tactic failed.

A British government official said the timing and targeting of cyberattacks suggested that when there are international investigations into Russian activity, the “GRU seems to deploy”.

Mr Wilson said: “The GRU has interfered in free elections and pursued a hostile campaign of cyberattacks against state and civilian targets.

“The GRU is an aggressive, well-funded official body of the Russian state. It can no longer be allowed to act aggressively across the world against vital international organisations, with apparent impunity.”

In a joint statement, Ms May and Mr Rutte said the GRU had shown “disregard for the global values and rules that keep us all safe”.

“The GRU’s reckless operations stretch from destructive cyber activity to the use of illegal nerve agents, as we saw in Salisbury,” they added.

“We will uphold the rules-based international system and defend institutions from those that seek to do them harm.”

Nato secretary general Jens Stoltenberg warned Russia to halt its “reckless pattern of behaviour”, adding: “Nato allies stand in solidarity with the decision by the Dutch and British governments to call out Russia on its blatant attempts to undermine international law and institutions.”

British officials say they do not know how Russia will react to the latest revelations, but are expecting a fresh swell of disinformation and conspiracy theories.

Russian foreign ministry spokeswoman Maria Zakharova dismissed the new accusations, calling them “big fantasies”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in