Four Russian GRU agents were expelled by Dutch authorities in April after they were caught trying to infiltrate an IT network belonging to the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The four state-sponsored hackers were also planning to attack an OPCW laboratory in Spiez, Switzerland but were thwarted by alert authorities.
In March this year, the global chemical weapons watchdog had pledged to offer technical assistance to the UK to help it accurately investigate the Salisbury incident that involved the poisoning of Sergei and Yulia Skripal with a nerve agent.
In April, detailed analysis carried out by the OPCW designated laboratories of environmental and biomedical samples confirmed the identity of the toxic chemical that was used in Salisbury, which prompted the U.S., the UK, and European countries to join in denouncing Russia for using a nerve agent on British soil.
GRU agents belonged to APT 28 hacker group
The four GRU agents, who were named by the Dutch authorities as Alexei Morenetz, Yevgeny Serebriakov, Oleg Sotnikov, and Alexei Minin, were carrying diplomatic passports when they visited the Netherlands in April. They stationed themselves in a hotel next to the OPCW office and tried to hack into the OPCW’s Wi-Fi network before they were captured by authorities and expelled from the country.
According to information accessed by BBC, the four hackers belonged to GRU’s Unit 26165 which is also known as APT 28. This hacker group has been accused of targeting insider information related to governments, militaries, and security organisations that would likely benefit the Russian government. Unlike China-based threat actors, APT 28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.
APT 28 is also believed to be behind an attempted cyber-attack on the UK’s Anti-Doping Agency in March this year which was foiled by the agency just in time. The group was also accused of orchestrating a domain-spoofing campaign to spoof domains owned by World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA) in response to the ban imposed on Russia from participating in the Winter Olympics hosted by South Korea in January.
“The allegations of the GRU attempting to hack the OPWC fall under standard international spying. The OPWC is one of the lead bodies that investigate the use of chemical weapons in Syria. The information that that does not make it into the official reports has very valuable intelligence for the Russian military operating in and supporting Syria,” said Ross Rustici, senior director, intelligence services at Cybereason.
“The surprising aspect of this is not the target or the perpetrators, but rather that the hack was unsuccessful. Everything else that appears to be rolled out during this coordinated effort between Western allies is a highlight of Western cyber defence failures. It is rare that cyber defenders have enough evidence to announce a success on their part while still demonstrating culpability.
“Unfortunately, this latest round of public announcements is going to do little to influence how Russia operates. The fact that almost everything that is being discussed today is a demonstration of Russia’s effectiveness in this space only shores up their confidence in using these techniques as a way to influence and undermine European and American preferred outcomes,” he added.
GRU implicated by the UK as well
The announcement by the Dutch authorities coincided with an announcement by the UK’s National Cyber Security Centre in which the cyber security watchdog claimed it had evidence to prove that Russia’s premier military intelligence agency GRU was behind a large number of “indiscriminate and reckless cyber attacks” on political institutions, businesses, media, and sports organisations.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability,” said Foreign Secretary Jeremy Hunt.
The NCSC announced that a number of well-known Russian hacker groups that have caused mayhem across the world in the past few years are composed of GRU agents and are therefore, actively supported by the Russian government. These hacker groups include APT 28, Fancy Bear, Sofacy, Pawnstorm, STRONTIUM, Sandworm, Sednit, CyberCaliphate, Voodoo Bear, Cyber Berkut, and BlackEnergy Actors.