Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Russia hack: Taxi receipts to lager cans – the trail of evidence left by spies who tried to attack the chemical weapons watchdog

Four spies drank cheap lager in hotel room before embarking on failed hacking mission 

Lizzie Dearden
Security Correspondent
Friday 05 October 2018 09:42 BST
Comments
Russia cyber attacks: UK ambassador to the Netherlands praises Dutch intelligence services

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

On 10 April, a seemingly unremarkable group of Russian men arrived at Amsterdam’s Schiphol airport on diplomatic passports.

They were greeted by an official from the Russian embassy in the Netherlands, who helped them hire a car to be used in their stay.

Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Alexey Minin then travelled more than 40 miles to The Hague Marriott Hotel.

It was not chosen for its four-star rating, but for the view – over the Organisation for the Prohibition of Chemical Weapons (OPCW) international headquarters.

The four “diplomats” were in reality agents from the GRU military intelligence agency, on a mission to hack into the chemical weapons watchdog’s computer systems.

Weeks after the attack on Sergei Skripal the OPCW’s scientists were testing samples taken from Salisbury that would be verified as Russian-made novichok within days.

The GRU had to act quickly, and having already tried and failed remote cyberattacks on the OPCW, UK Foreign Office and laboratory at Porton Down, a “close-access” attempt was the only option left.

Specialist equipment intended for the alleged hacking of the Organisation for the Prohibition of Chemical Weapons’ wifi networks
Specialist equipment intended for the alleged hacking of the Organisation for the Prohibition of Chemical Weapons’ wifi networks (PA)

The four spies started preparing for their mission, equipped with multiple mobile phones, cameras, specialist hacking equipment and the equivalent of almost £35,000 in cash.

On 11 and 12 April, Dutch investigators said they carried out reconnaissance of the OPCW building and its surroundings.

They photographed the headquarters from numerous angles, including from inside the Marriott hotel.

At some point, the four agents went shopping for a large battery in The Hague, which also houses Dutch government institutions, international embassies, the International Court of Justice and International Criminal Court.

By 13 April, they were ready to strike. Their hired Citroen C3 had its boot fitted out with a covered wifi antenna, computer, transformer and specialist equipment set up for hacking internet connections.

All that was left to do was to park it within range of the OPCW headquarters and get to work.

But Dutch security services, with help from Britain and other allies, had detected the plot and sprang into action before it could succeed.

As police officers moved in, the Russians attempted to destroy their equipment but not quickly enough, leaving an unprecedented cache of intelligence.

The group had attempted to be careful, using old-fashioned Samsung “burner phones” alongside more sophisticated smartphones.

Their operational security training even extended to the rubbish bin in their hotel rooms, which they emptied of cheap lager cans and fruit juice bottles that were taken on the mission.

But it all came to nothing as they were arrested and escorted to the Dutch border by police, who sent them back to Moscow.

Intelligence services were left to analyse a treasure trove of information left on the men’s phones, computers and other devices that revealed their past movements and future plans.

Despite their diplomatic cover, the connection to the GRU was not hard to find.

One of the phones recovered, a Sony Xperia, had been activated through a cell tower next to the GRU’s headquarters in Moscow on 9 April.

The following day, Morenets ordered a taxi from the street outside the barracks directly to Moscow Sheremetyevo Airport, where he and his three fellow agents would fly onwards to Amsterdam. He kept the receipt.

The car carrying hacking equipment used by the GRU officers
The car carrying hacking equipment used by the GRU officers (Dutch Ministry of Defence/PA)

Minin’s camera allowed investigators to retrace their steps as they carried out hostile reconnaissance on the OPCW.

And Serebriakov’s laptop showed he had been researching the Speiz Laboratory in Switzerland, which had been tasked with testing Salisbury samples.

Dutch investigators identified the laboratory as the group’s next target after discovering they had purchased train tickets onwards to Bern and printed out maps of Russian diplomatic facilities in the area.

They would never reach it, and days after the attempted attack on the OPCW it publicly verified the use of novichok in Salisbury.

The decision to release the identities of the GRU operatives involved has sparked another round of investigations by international intelligence services and citizen groups.

Online investigators Bellingcat and The Insider website said their checks suggested that Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Alexey Minin were real identities rather than aliases.

The GRU officers were apprehended by Dutch intelligence officers
The GRU officers were apprehended by Dutch intelligence officers (Dutch Ministry of Defence/PA)

They accessed database records for Morenets giving his registered address as Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the military academy of the Ministry of Defence is situated. This academy is known as the GRU Conservatory.

On a separate Russian car ownership database, Morenets is listed as the owner of a Lada car registered to Komsomolsky Prospekt 20 – the GRU barracks where the four spies caught their taxi on 10 April.

It is also the home of GRU unit 26165, identified by Dutch, British and American officials as its cyberwarfare department.

A search for vehicles registered to the same address turned up 305 names alongside their passport details and, in some cases, telephone numbers.

As Bellingcat noted: “If these 305 individuals are indeed officers or otherwise affiliated with the GRU’s military unit 26165, their listing in a publicly accessible database may constitute one of the largest mass breaches of personal data of an intelligence service in recent history.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in