Bungling Russian spies’ passports identify more than 300 GRU agents

Bungling Russian spies’ biggest blunder revealed: Hacker’s car documents help identify more than 300 GRU agents… because his Lada is registered to their Moscow cyber HQ

  • US charges 7 Russian spies with crimes including hacking, identity theft and fraud using crypto-currencies 
  • British cyber security group accuses Russia’s GRU of at least four hacking attacks around the world 
  • Dutch authorities lift lid on operation to hack chemical weapons HQ in Netherlands in April 
  • Men were picked up with a cache of computer equipment, linking them to other incidents, and sent home 
  • US has released wanted poster featuring four Hague hackers and three others linked to anti-doping hacks 
  • GRU operatives – working under what US identified as Unit 26165 – created fake ‘hacktivist’ Fancy Bears group 
  • Russia faces storm of hacking allegations, but denies claims, calling latest evidence ‘big fantasies’ 

Putin’s hapless hackers caught red-handed in Holland inadvertently outed more than 300 other agents in their most extraordinary blunder, it was revealed today.

Spy agencies around the world now have a database of hundreds of Russian agents – all because two of the men caught in The Hague had diplomatic passports using their real names and dates of birth.

News agency Bellingcat, who revealed the true identities of the Salisbury assassins, say the two men are both registered as living at the GRU’s Military Academy in Moscow.

Alexey Morenets’ Lada is also registered at GRU’s cyber warfare department down the road – and investigators say by searching other vehicles registered to the same address they have identified 305 other members of the 26165 unit accused of hacking targets all over world.

To add to Mr Putin’s embarrassment the leaked list includes his spies’ names, dates of birth and mobile phone numbers – unmasking and effectively dismantling his most elite cyber attack unit.

Bungling hacker Alexey Morenets (pictured arriving at Schiphol Airport ahead of his spy mission) has helped unmask more than 300 fellow spies in Russia’s biggest cyber attack team

Morenets appears to be travelling under his real name and date of birth – leading them to his address: Moscow’s main spy centre

Morenets’ Lada Samara is registered to the GRU’s cyber academy in Moscow along with hundreds of other vehicles

By searching other vehicles registered to the same address, Bellingcat in vestigators have identified 305 other members of the 26165 unit accused of hacking targets all over world

Russian president Vladimir Putin waves to spectators prior to boarding a car after his arrival in New Delhi as the GRU’s campaign of cyber warfare against the west was exposed on a deeply embarrassing day for the Kremlin 

  • From Russia with Love: GRU spy’s dating profile picture that…

    Unit 26165’s trail of blunders: How Putin’s elite…

    ‘A diabolical perfume of lies’: Russia makes novichok…

    Britain, Holland and US spearhead fightback against Putin’s…

    Russia ‘interfered in three elections’ as it targeted…

    Caught red handed: The five key steps to catching the…

  • As Russia is found to be behind cyber attacks around the…

    Justice Department indicts seven Russian spies for hacking…

    THE NEW COLD WAR – The West fights back against Putin’s…

    Carry on Spying! Putin is mercilessly mocked yet again……

Share this article

Adding to the Russian President’s woes, it was also revealed today:

  • His country faces new sanctions to punish him for launching a four year cyber Cold War;
  • His team of four ‘dumb Bond’ spies caught at The Hague carried out blunder after blunder that revealed all the missions they carried out since 2015;
  • Evidence gathered by British and Dutch spies helps them uncover GRU’s giant spy network;
  • US vows to arrest and prosecute seven agents if they ever leave Russia for hacking and fraud; 

The West vowed last night to dismantle Vladimir Putin’s cyber war network amid warnings he could target a UK power station after a wave of ‘reckless’ attacks.

In a dramatic move yesterday, British and Dutch authorities named four members of Russia’s GRU military intelligence unit caught red-handed trying to infiltrate the inquiry into the Salisbury poisoning.

The four bungling officers were captured in the act during an extraordinary attempt to hack into the world’s chemical weapons watchdog – while sitting in a car outside its headquarters.

Security officials also accused the GRU of mounting cyber attacks against the Foreign Office and the military laboratory at Porton Down.

Hours later, the United States accused a string of Kremlin agents of trying to hack into anti-doping bodies and a nuclear power station.

The GRU used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in its botched cyber attack on the global chemical weapons watchdog, it was revealed today

Whitehall sources said they were confident the EU would approve sanctions against Russia this month to target those involved in the use of chemical weapons. The decision to reveal unprecedented details of a counter-espionage operation – which leaves relations between Russia and the West at a post-Cold War low – was designed to humiliate Putin, and expose the Kremlin’s ‘malign’ activities around the world.

Calling Russia a ‘pariah state’, Defence Secretary Gavin Williamson said: ‘Where Russia acts in an indiscriminate and reckless way, which they have done in terms of these cyber attacks, we will be exposing them.’

Foreign Office minister Sir Alan Duncan warned that Russia could try to shut down a British power station or bank next. He said: ‘On the one level this is frankly absurd and comical because they have been so cack-handed. But also it’s very dangerous because the next target could be a power station or trying to stop a bank from doing its work. They are doing very, very dangerous and malign things.’

The gang of four GRU spies, who operated under the codename Sandworm, targeted the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague in April, when officials were trying to confirm the origin of the novichok nerve agent used to poison former spy Sergei Skripal.

But Dutch intelligence agents, acting ‘in partnership’ with their British counterparts, intercepted the Kremlin spies in a hotel car park near the OPCW headquarters.

The US today charged seven Russian military intelligence officers over hacking attacks around the world. The group are accused of a range of attacks on institutions and individuals around the world. The attacks are linked to Russian attempts to spy on investigations into doping in sport, politics in the Ukraine and the US, and the poisoning of Sergei Skripal in the UK

After the Dutch named four men it caught hacking The Hague, US authorities released images of Artem Malyshev, 30, Ivan Yermakov, 32, and Dmitriy Badin, 27 (pictured, left to right), who it named as GRU hackers

CCTV images show Alexey Minin (left), while Oleg Sotnikov (right) is pictured on a photo recovered from a phone. They are both alleged to be members of the GRU’s hacking squad, who were unmasked today

Evgenii Serebriakov was among four Russians trying to hack chemical weapons inspectors and his laptop contained this selfie  at the 2016 Olympics in Brazil – revealing one of more than a dozen GRU missions across the globe

The inept GRU officers – who have been deported to Moscow – were caught trying to hack into the organisation’s computers using equipment hidden under a coat in the back of their hired car.

It was reported last night that they escaped criminal charges because they carried diplomatic passports.

The gang left behind a treasure trove of evidence about Russia’s techniques and their links to the GRU. 

These extraordinary errors included:

  • The cyber unit’s ‘burner’ mobile phones had their sim cards activated outside the headquarters of the GRU in Moscow;
  • Taxi receipts found in their Dutch hire car show that the men travelled from their spy centre to Moscow airport ahead of their hacking mission; 
  • The four GRU agents being identified the moment by secret services as they arrived at Amsterdam’s Schiphol Airport – and in an extra giveaway they were even met by a Russian handler;
  • They were followed and a MI6/Dutch spy team caught them red handed trying to hack into the OPCW’s wifi network using a boot full of kit;
  • When confronted they tried to smash and stamp on their phones and equipment;
  • The hackers had tickets, Google Maps routes, train tickets and Google searches setting out their mission;
  • They stayed in the Marriott Hotel next door to the OPCW and took out their bag of rubbish including cans of Heineken and packets of ham to avoid leaving evidence;
  • They targeted the OPCW just two days before they released their interim report into the Salisbury poisoning – the timing gave them a motive;
  • Two of the four men had the passport numbers 0135555 and 0135556 – showing that they were issued at the same time – a clear sign they are state-sponsored spies;
  • A laptop seized linked the men to cyber attacks across the globe including a selfie of a spy posing at an Olympic event in Rio in  2016 – where he also apparently hacked into athletes’ medical records; 

Russia dismissed the dossier as ‘Western spy mania’. Its foreign ministry said the allegations were a ‘rich fantasy of our colleagues from Britain’.

Surveillance footage shows the moment Dutch intelligence officers descended on the scene and caught the four men outside the chemical weapons agency

Authorities released a picture of the car which was rigged up with hacking equipment

One of the many phones belonging to four Russian GRU officers is seen after they tried to destroy it when they were arrested

Pictures show the cache of equipment seized from the men. They attempted to smash up some of the phones (inset) when they realised authorities were on to them

These images, made available by the Dutch Ministry of Defence today, are said to show the hacking equipment that four Russian intelligence officers used for a cyber attack on the OPCW

The men took their own rubbish – including several beer cans – out of their hotel room, presumably because they were concerned about an investigation

But the botched operation is a severe embarrassment for Putin and follows the failed assassination attempt against Mr Skripal in March. A UK security official said: ‘For GRU officers to be caught in this way would be considered a pretty bad day at the office.

‘Judging from past form elsewhere, discrediting the (Salisbury) investigation could well have been their motivation.’

It emerged last night that one of the GRU gang, Yevgeny Serebriakov, played in a Moscow football side known to opponents as the ‘security service team’.

In a joint statement last night, Theresa May and Dutch prime minister Mark Rutte said the decision to go public with their findings was designed to shine a light on the GRU’s ‘unacceptable’ behaviour. ‘The GRU’s reckless operations stretch from destructive cyber activity to the use of illegal nerve agents, as we saw in Salisbury,’ they said. ‘That attack left four people fighting for their lives and one woman dead.’

The leaders said the co-ordinated response showed the West was ready to ‘uphold the rules-based international system and defend international institutions from those that seek to do them harm’.

Britain’s ambassador to the Netherlands, Peter Wilson, also revealed that the GRU’s cyber-warfare arm launched a so-called ‘spear-phishing’ attack against the Foreign Office. The attack, which involved sophisticated fake emails, was detected and blocked by the UK’s cyber-defence systems.

A similar remote attack was detected the following month against Porton Down, the military lab which first identified the use of the Cold War nerve agent novichok in Salisbury.

Foreign Secretary Jeremy Hunt said yesterday’s revelations would show the world what Putin was up to, adding: ‘This is the evidence… that what we are getting from Russia is fake news, and here is the hard evidence of Russian military activity.’

He said the West would work together ‘to counter this pattern of cyber attacks – the new type of attack that the whole world is having to deal with’.


Unit 26165’s trail of blunders: How Putin’s elite globe-trotting hacking squad left a trail of clues including a selfie at the Olympics, a pile of beer cans and a TAXI RECEIPT from their spy base to airport

Western intelligence yesterday revealed the trail of clues that bungling Russian spies known as Unit 26165 left in their wake as they waged a war of disinformation across the globe.

Kremlin agents working for the GRU targeted FIFA, the World Anti-Doping Agency and the Organisation for the Prevention of the use of Chemical Weapons as it investigated both the Salisbury novichok attack in the UK as well as the Douma chemical weapons attack in Syria, the international investigation of the downing of MH17 and a US company providing nuclear power to Ukraine. 

President Vladimir Putin’s elite squad even created the fake ‘hacktivist’ group Fancy Bears to disseminate misleading statements designed to exonerate Russia of doping allegations and instead level them at the US.

But it was yesterday revealed that the spies left a trail of clues including blunder after blunder during their international campaign. 

The bungling started when four Unit 26165 spies  – two cyber specialists and two field agents – were caught in the Hague trying to use a fake wireless router to acquire logins to the wireless network of the Organisation for the prohibition of Chemical Weapons in April. 

At the time the OPCW was investigating the GRU’s Novichock attack on Sergei Skripal in Salisbury. 

One spy was caught with a mobile phone that had been activated on the GRU’s doorstep in Moscow. Then a taxi receipt revealed a journey from GRU headquarters to Moscow’s Sheremetyevo airport the very day that four agents arrived in Amsterdam, when two of the spies were seen using consecutive passport numbers.

Operatives who would later be found to have cleared out an Aldi bag of empty lager cans from their hotel room to try and hide DNA evidence.  

And when the men were arrested, they were caught with €20,000 (£17,000 or $23,025) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops.

One laptop even contained selfies from the 2016 Olympics in Brazil where Russian athletes’ doping samples were tampered with and US athletes’ medical records leaked.

And late last night it was revealed that a laptop had the Spiez laboratory in its search history. Train tickets revealed that the spies planned to visit the centre in Bern on April 17. It houses the Swiss body that protects the population against nuclear, biological and chemical attacks or other dangers.

The revelation came as the website Bellingcat circulated a dating profile thought to belong to agent Alexei Morenets – whose geolocation was listed as within 650 metres of the intelligence service’s headquarters. The site also found the spy’s car registered to the GRU’s department for cyber warfare using a 2011 database of ownership.

Another agent, Evgenii Serebriakov, used an email with the name Casey Ryback, a character played by Steven Seagal in the film Under Siege, which tells the story of terrorists attacking an American ship, today’s The Times reports. 

Operatives used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in a botched cyber attack on the global chemical weapons watchdog.

Using a technique from the early days of Wi-Fi, they attempted to break into the Organisation for the Prohibition of Chemical Weapons’s network in The Hague by tricking staff into logging into their fake router.

They parked the car at a local hotel and disguised the Wi-Fi antenna hidden inside the router, so staff would login. The laptop then stole their username and password, allowing the agents to get into the OPCW’s network.

Through the network they could spy on operations within the building, including investigations into the Salisbury Novichok attack.

It also emerged today that Russia’s bungling GRU agents left a trail of clues that helped authorities link them to the string of cyber attacks.

Among the items revealed at an extraordinary briefing in The Hague was a mobile phone one of the men was caught with having been activated near the Russian military intelligence’s headquarters in Moscow.

Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport on April 10, the day that the four agents later arrived at Amsterdam Schiphol Airport.

The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers.

On April 11, they hired a Citroen C3 and scouted the area around the OPCW – all the time being watched by Dutch intelligence. To hire the car they were required to give their addresses – and the operatives opted for Moscow locations, according to The Times. 

The agents, who stayed at a Marriott Hotel next to the Organisation for the Prohibition of Chemical Weapons in The Hague, were also found to have used public WiFi hotspots to conduct their operations in the Netherlands.

And they were photographed performed reconnaissance of the OPCW headquarters, where the nerve agent sample was being independently verified.

When leaving The Hague, the men took all the rubbish from their room – including empty cans of Heineken beer and what appeared to be an empty cold meat packet in an Aldi bag – in a further bid to cover their tracks.

On April 13, the GRU officers were said to have parked a rental car with specialist hacking equipment outside the OPCW’s headquarters to breach its systems – but British and Dutch intelligence thwarted the operation. 

The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers

Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport

And when the men were arrested, they were caught with €20,000 (£17,000) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops. 

A researcher has revealed that the rudimentary technique they used to hack into the OPCW is common – though it has never been used in such a high-profile case.

Professor Alan Woodward, a computer scientist at the University of Surrey, said the Russians likely used an ordinary laptop attached to a directional antenna, which was pointed at the OPCW building.

He said unlike more common remote hacking techniques, the GRU agents needed to park close to the site in order for the WiFi signal to be strong enough.

However, before they could initiate the attack, Dutch counter-intelligence officers descended on the vehicle and seized the men, who were kicked out of the country.

The Dutch Defence Ministry took the extraordinary step this morning of naming and picturing four Russian agents caught as they tried to carry out the cyber attack.

Looking at the equipment in the boot of the car it appears they were attempting to intercept login credentials as people tried to connect to the WiFi network at OPCW, Professor Woodward said.

‘A classic way of doing this is to set yourself up as what is known as an ‘evil access point’, he told MailOnline. ‘You pretend to be the network they are attempting to connect to and steal their login details as their computer or phone tries to connect.’

The cyber security expert said it was unusual for high level intelligence officials to use such a rudimentary form of attack. ‘[The technique] has been around as long as WiFi has,’ he told MailOnline.

‘Attacks have evolved as security in WiFi has evolved. But it’s so basic that most enterprise style organisations are well protected. Hence the high profile cases tend to be from some more remote source.’

Even if the security analysts were already attached to a WiFi, the attackers would have been able to launch a ‘deauthentication attack’.

This automatically disconnects them so their device tries to reconnect. The directional antenna were pointing specifically at the OPCW offices which means the fake network – the ‘evil access point’ – would have had a stronger signal than the real signal.

This would have lured the devices away from the real network. ‘Once you have someone’s login credentials you can obviously access the WiFi as an attacker if you are in range, which this vehicle apparently was’, Professor Woodward said.  


Source: Read Full Article