How Russian spies bungled cyber-attack on weapons watchdog

The GRU intelligence agency is undoubtedly ambitious but this operation is hardly a triumph

The four Russians arriving at Amsterdam’s Schiphol airport looked like classic business travellers. Two of them – Alexey Minin and Oleg Sotnikov – strolled casually through arrivals. Sotnikov, head down, looked as if he was making a joke. Just behind were a pair of younger men, both going bald. They were Evgenii Serebriakov and Alexsei Morenets.

The travellers were thirty- and fortysomething Russian diplomats. At least, that is what their passports said. Clearly they were on a mission of some kind; a tie-wearing official from Russia’s embassy in the Netherlands came to the airport to greet them. But the precise reason for their trip from Moscow to Holland was unknown.

In fact the group were not tourists, as they would later meekly claim. They were undercover officers working for the GRU – the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. Of Russia’s three spy agencies, the GRU is the biggest and the most powerful.

The four intelligence officers who arrived in Holland belonged to a covert GRU cyberhacking team, investigators believe. Their trip to the country was merely the latest in a series of secret international assignments. Their target this time was the Organisation for the Prohibition of Chemical Weapons (OPCW).

The circular HQ of the OPCW was in The Hague, downtown, an hour’s drive away. The four men hired an inconspicuous black Citroën C3 car and set off. It was Tuesday 10 April 2018. Each man had a defined role. Morenets and Serebriakov were cyber-operators. Minin and Sotnikov were responsible for reconnaissance and were there to make sure nothing went wrong.

It was not difficult to guess why Moscow might want to hack OPCW communications. The previous month two GRU officers had tried to kill a former colleague, Sergei Skripal, in Salisbury. They used the nerve poison novichok. The plot had not worked – Skripal was alive – and the UK government had publicly accused the Russian state of attempted murder.

The Kremlin vehemently denied this. The OPCW was about to release the results of its investigation into the Skripal case , findings that would confirm Downing Street’s claims and lead to international condemnation. Meanwhile, in Syria, another chemical weapons attack had taken place in the city of Douma. The west blamed the Assad regime; Moscow the rebels.

The next day Minin scoped out the target, according to Dutch investigators. He took photos of the OPCW building and the Marriott hotel next door. He went back at least twice. The operation was slated for Friday 13 April. The Russians drove their vehicle to the Marriott, and parked just across the road from the OPCW, under a dull spring sky.

GRU operatives are meant to be part of an elite spy cadre – highly trained professionals, dedicated to the motherland, and schooled in operational warfare. In reality the four turned out to be bungling amateurs. Seemingly, British intelligence knew of the plot in advance. They tipped off their Dutch colleagues. The men were closely tracked.

When the Dutch swooped they discovered sophisticated equipment hidden in the car’s boot: a computer, a 4G smartphone, a transformer and battery bag. There was also a white rectangular wifi panel antennae covered with a dark coat. The spies bought the battery in The Hague and kept the receipt. Serebriakov had brought additional devices for hacking wifi connections.

The boot of a vehicle found outside the Organisation for the Prohibition of Chemical Weapons, in The Hague.
The boot of a vehicle found outside the Organisation for the Prohibition of Chemical Weapons, in The Hague. Photograph: Dutch Ministry of Defence

There were further tell-tale clues. The GRU officers took their rubbish with them from their hotel rooms: tins of green Heineken and empty fruit juice bottles, found in the vehicle in a plastic shopping bag. They had a lot of cash for breezy sightseers from Moscow: $20,000 and €20,000, sorted into crisp hundred-dollar bills.

The most spectacular evidence was retrieved from seized cellphones and a camera. One of the men tried to destroy his mobile, further proof, according to the Dutch, that the group had received security training. One phone had been switched on for the first time, on 9 April. The location, identified by a cell-tower, was the GRU’s barracks in Moscow’s Komsomolsky Prospekt.

Unlike James Bond, officers engaged in real-life international espionage need to account for their expenditure. And so Morenets snapped a copy of his taxi receipt. It revealed that on 10 April he went by taxi from the GRU’s HQ in Nezvishkiy Pereulok to terminal F of Sheremetyevo airport. His 32km journey cost 842 roubles (£10). We do not know if he was repaid, or if he left a tip.

The firm Be Taxis confirmed the receipt was real. “Yes, this is ours. The driver Tsvetkov is now on a shift,” a company employee said.

By late spring, western intelligence agencies had pieced together a comprehensive picture of the GRU’s cyber operations abroad. Its sweep was astonishing. At a time when Moscow was accused of running a state-sponsored doping programme, Serebriakov had travelled in August 2016 to the Olympic games in Brazil. Found on his laptop was a photograph – the spy with an unknown young woman wearing a “Russia” T-shirt.

In December 2017 Serebriakov flew to Malaysia’s capital, Kuala Lumpur. He stayed at the Grand Millennium hotel. Dutch prosecutors say he was targeting Malaysia’s chief prosecutor and police. They were investigating MH17, the Malaysian airliner shot down in the summer of 2014 in eastern Ukraine by a Buk anti-aircraft missile. The launcher came from Russia, Dutch investigators believe.

Days later Serebriakov was using a wifi hotspot in Lausanne, Switzerland. He appears to have checked into the Alpha-Palmiers and Palace hotels. His apparent goal was to hack into the World Anti-Doping Agency (Wada) and to infect its systems with custom-built GRU malware.

The four men pictured at Schiphol airport.
The four men pictured at Schiphol airport. Photograph: Dutch Ministry of Defence

At the time Wada was briefing the International Olympic Committee on its long-running investigation into Kremlin doping. Wada had long been a Moscow target: one recovered laptop was registered to a hotel network in 2016 where the Wada congress was being held.

The Hague was not the final stop of the GRU team’s mini-tour. The group bought a train ticket for 17 April from Utrecht to Bern, Switzerland. The ostensible target this time was the Spietz laboratory, near Bern, which had been testing samples provided by Britain. The lab confirmed the substance used against Sergei Skripal and his daughter, Yulia, was novichok.

The Russians caught in Holland were not diplomats; rather, they were veteran members of the GRU’s Sandworm cyber unit. Their mission could hardly be deemed a success. They were expelled.

The Kremlin’s denials may work inside Russia but will convince few in western countries, where governments are increasingly weary of hyper-aggressive Russian operations.

After Thursday’s revelations no one can be in any doubt of the GRU’s staggering ambition and global footprint. It has been a bad spell for the agency, which has suffered setbacks in Salisbury and The Hague. It may spend a little time updating tradecraft and its expenses policy. But its officers will carry on and continue to probe for weakness in “enemy” defences.


Luke Harding

The GuardianTramp

Related Content

Article image
String of own goals by Russian spies exposes a strange sloppiness
The secretive, daring GRU seems to have lost its way in the age of internet search

Andrew Roth in Moscow

05, Oct, 2018 @4:00 AM

Article image
Russia accused of cyber-attack on chemical weapons watchdog
Netherlands expelled four GRU officers after alleged attacks on OPCW and UK Foreign Office

Pippa Crerar, Jon Henley and Patrick Wintour

04, Oct, 2018 @2:48 PM

Article image
Suspected Russian cyber-attack growing in scale, Microsoft warns
Government agencies around world among targets in SolarWinds ‘espionage-based’ hack

Dan Sabbagh Defence and security editor

18, Dec, 2020 @5:07 PM

Article image
Russian SolarWinds hackers launch email attack on government agencies
Microsoft says group targeted more than 15o American and foreign organisations using USAid account

Alexandra Villarreal and agencies

28, May, 2021 @5:28 PM

Article image
EU to run war games to prepare for Russian and Chinese cyber-attacks
Ministers to be put in fictional scenarios after series of hacking incidents

Daniel Boffey in Helsinki

27, Jun, 2019 @12:48 PM

Article image
UK accuses Kremlin of ordering series of 'reckless' cyber-attacks
Foreign Office increases pressure on Russia after Skripal poisoning

Patrick Wintour Diplomatic editor

03, Oct, 2018 @11:01 PM

Article image
Macron hackers linked to Russian-affiliated group behind US attack
Cybersecurity firms think group with ties to Russian intelligence was behind leak of emails and other documents belonging to French election winner’s campaign team

Alex Hern

08, May, 2017 @10:36 AM

Article image
Google warns of surge in activity by state-backed hackers
More than 50,000 alerts sent so far this year, including of an Iranian group that targeted a UK university

Dan Milmo Global technology editor

15, Oct, 2021 @12:00 PM

Article image
Ukraine hit by ‘massive’ cyber-attack on government websites
Suspected Russian hackers leave message warning: ‘Ukrainians … be afraid and expect worse’

Luke Harding in Kyiv

14, Jan, 2022 @8:45 AM

Article image
MI5 chief not alone in voicing fears about Russian cyber-threat
The Kremlin has dismissed Andrew Parker’s claim but others have raised concern about Russia’s online activities

Shaun Walker in Moscow

01, Nov, 2016 @3:59 PM