Western governments mounted an unprecedented and coordinated fightback on Thursday against "brazen" attempts by Russia to meddle in international affairs, publicly unmasking alleged intelligence agents and blaming Moscow for a series of audacious cyber attacks.
The Dutch government accused Russia’s military intelligence agency, the GRU, of targeting the world’s chemical weapons watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), through a foiled cyber operation.
Hours earlier, Britain, backed by close intelligence allies Australia and New Zealand, pointed the finger at the GRU for carrying out a worldwide campaign of “malicious” cyber attacks, including the hacking of the US Democratic National Committee in 2016.
The choreographed announcements by Western allies, expected to be followed later by the United States, amounted to a significant escalation of tensions with Moscow.
“The GRU has interfered in free elections and pursued a hostile campaign of cyber attacks,” said Peter Wilson, the British ambassador to the Netherlands. “It is an aggressive, well-funded body of the Russian state. It can no longer be allowed to act across the world… with apparent immunity.”
The Dutch operation
Dutch officials gave unprecedented details as they outlined the alleged Russian operation against the OPCW at a joint Dutch-UK government news conference in The Hague.
Describing it as “very worrying,” Bijleveld-Schouten said four Russian military intelligence officers were expelled on April 13, the same day the plot was detected.
They left belongings behind, she said, that also enabled the Dutch to discover that one of the agents’ laptops had made connections to Brazil, Switzerland, and Malaysia, trying to interfere with the investigation into the downing of Malaysia Airlines Flight 17 in eastern Ukraine in 2014.
The head of Dutch counter-intelligence, Major General Onno Eichelsheim, named the four alleged Russian officers as Aleksei Morenets and Evgenii Serebriakov – who had very similar passport numbers, he said – Oleg Sotnikov, and Alexey Minin. The alleged agents were traveling on diplomatic passports, Eichelsheim said.
In comments made before the joint Dutch-UK press conference, Russia rejected Britain’s claim that the GRU was behind a global campaign of cyber attacks.
Russian Foreign Ministry spokeswoman Maria Zakharova said the accusations were “fake” and an attempt to mix allegations of cyber hacking with a conspiracy against Russian sport.
Addressing reporters, Eichelsheim, the Dutch counter-intelligence head, gave a detailed description of what the four alleged GRU officers were doing when their operation was disrupted.
The four agents arrived in the Netherlands on April 10, rented a car the following day, and parked it in a hotel parking lot as close as possible to the OPCW headquarters in The Hague, Eichelsheim said.
“They were doing some exploration work for a close-access hack operation,” he said.
“We know for sure they were not on holiday in the Netherlands. They had numerous telephones on them, different sizes, different makes. They had quite a few on them personally,” he said. “Morenets tried to destroy the phone, or at least break the phone, when the operation was destroyed … he did not succeed completely.”
Sotnikov had a large amount of cash on him: €20,000 and $20,000, Eichelsheim said. “That is not an amount I carry on holiday,” he said.
“They were very aware of security,” the Dutch official said, adding that they took garbage out of their hotel rooms.
“In the boot of the Citroen C3 (car they rented), we recognized high-value, high-grade equipment to hack Wi-Fi channels,” he said. “The main element is of course the antenna … that needs to access the network, in this case the network of the OPCW. The antenna aimed towards the OPCW.”
A battery to boost the power of their equipment was bought on April 11. “This battery was active in the back of this car at the Marriott hotel,” Eichelsheim said. “That caused an immediate threat to the OPCW network,” he said.
“It is my task that those type of cyber operations cannot be a success, and that is why we decided to disrupt the GRU operation and the four men were accompanied to leave the country. In that way we were able to protect the OPCW and we were able to avoid serious damage to the OPCW,” Eichelsheim said.
“We must not forget that at that time the OPCW was investigating the Skripals and the chemical attack in Douma,” he added, referring to attacks in Britain and Syria respectively.
Nerve agent attack
Britain has blamed the GRU for the poisoning of Russian former double agent Sergei Skripal and his daughter Yulia with a military-grade nerve agent in the English city of Salisbury on March 4.
UK investigators have also formally linked the attack on the Skripals to the June 30 poisoning of Dawn Sturgess and Charlie Rowley, a couple living in Amesbury, near Salisbury. Sturgess died on July 8 after applying a substance to her wrists from a perfume bottle found by Rowley.
The Kremlin has consistently dismissed official British allegations.
In early September, British authorities released the names “Ruslan Boshirov” and “Alexander Petrov” as the suspects in the poisonings. Prime Minister Theresa May and British authorities believe the men were traveling under aliases.
In response, Putin described the two suspects as “civilians.” He said Russia had identified the pair and found no evidence of criminal activities.
In an interview broadcast on the Kremlin-backed RT network, the two men admitted visiting Salisbury but denied carrying out the Novichok poisoning, saying that the purpose of their brief trip was to visit the city’s historic landmarks.
UK investigative website Bellingcat last week claimed to have identified one of the two suspects as a highly decorated officer in the Russian military. Moscow denied the Bellingcat report, describing the allegation as “bogus.”
GRU hackers blamed
In statements Thursday, British, Australian and New Zealand authorities attributed four high-profile cyber attacks to GRU-backed hackers. The attacks targeted four sectors that impact people’s daily lives – democracy, transport, media and sport.
They were:
Bad Rabbit
The Bad Rabbit ransomware attack in 2017 spread through Russia and Ukraine around the world. Ransomware attacks involve threatening a user’s files or computer access in exchange for a ransom. In the case of Bad Rabbit, the hackers disguised the ransomware as an update to Adobe software before locking down computers and demanding money for people to get their files back.
Most victims were located in Russia, but several cybersecurity firms identified attacks linked to Bad Rabbit in Turkey, Germany, Bulgaria, Japan, South Korea and the United States.
World Anti-Doping Agency hack
The WADA attack involved the release of Therapeutic Use Exemptions (TUE) for sports stars including American four-time Olympic gold medalist Simone Biles as well as tennis sisters Venus and Serena Williams.
At the time, WADA President Craig Reedie said that the hacking was clearly a retaliatory attack after 118 of Russia’s athletes were banned from competing at the Rio 2016 Olympic Games following revelations of “state-sponsored” doping.
DNC attack
All three countries said they had determined Russia hacked the Democratic National Convention ahead of the 2016 presidential election. That hack led to the release of a batch of private e-mails and notes, including many that belonged to Hillary Clinton’s campaign manager, John Podesta.
In the months following the cyber attack, the US intelligence community concluded that Russia did in fact attempt to interfere in the 2016 presidential elections, and top national security officials said in August that Russia is continuing to pursue similar efforts.
TV station attack
The statements accused Russia of stealing content and illicitly accessing email accounts from a small UK-based TV station in July and August 2015. The station was not named.