Russian hackers 'targeted chemical weapons experts investigating Salisbury attack'

Hackers belonging to the Russian intelligence service targeted the global chemical weapons watchdog after it opened an investigation into the Salisbury nerve agent attack, officials have said.

At a press conference in The Hague, British ambassador to the Netherlands Peter Wilson accused the service - known as the GRU - of sending operatives around the world to carry out a series of "brazen, close access" attacks.

Among them was an attempt to hack the OPCW, which monitors chemical weapons activity.

"This disruption happened in April. Around that time the OPCW was working to independently verify the United Kingdom's analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury," Mr Wilson said.

He added: "This was not an isolated act."

Shortly after the conference, the US announced it had charged seven Russian military intelligence officers over hacking allegations.

The attempted strike on the OPCW happened in April, shortly after the Novichok investigation began, Mr Wilson said.

The four GRU officers had parked a car carrying specialist hacking equipment outside the OPCW headquarters at the Hague.

But their efforts were foiled by Dutch counter-terrorism teams, and the men were then ordered to leave the country.

They were identified as Alexey Minin, Evgenii Serebriakov, Oleg Sotnikov, and Aleksei Morenets.

Mr Wilson went on to say that the men had been planning to travel to the OPCW's laboratory in Switzerland before they were stopped.

He said that evidence collected from a laptop belonging to one of the Russian officers showed it had connected to wifi at a Swiss hotel in September 2017, where a World Anti-Doping Agency conference was taking place.

The hotel was subject to a hacking attack during the conference, he added.

Later on Friday, the US Justice Department said it had indicted seven Russian intelligence officers, including all four of the GRU operatives named by the UK and the Netherlands.

They were charged, along with a further three defendants, with being part of the group known as Fancy Bears, which hacked anti-doping authorities and leaked records causing controversy for cyclist Sir Bradley Wiggins and other sports stars.

Three of the seven defendants had also already been charged in an indictment brought in July by the office of the Special Counsel relating to a conspiracy to interfere with the 2016 US presidential elections.

Assistant attorney general for national security, John Demers, said it was part of a Russian campaign to pursue its interests through "disinformation operations aimed at muddying or altering perceptions of the truth".

The indictment said the GRU had targeted the hacking victims because they had publicly supported a ban on Russian athletes in international sports competitions and because they had condemned Russia's state-sponsored athlete doping programme.

Prosecutors said the Russians had also targeted a Pennsylvania-based nuclear energy company.

Hacking equipment was found in their car.

The UK Foreign Office tweeted a thread detailing the elements of the case, and evidence gathered.

UK and Dutch prime ministers Theresa May and Mark Rutte released a joint statement condemning the "unacceptable" cyber attacks.

On Twitter, Nato Secretary General Jens Stoltenberg voiced support for the joint press conference.

"NATO stands in solidarity with the Dutch & UK governments in calling out #Russia on its cyber attacks against @OPCW & others," he said.

"Russia must stop its reckless pattern of behaviour to undermine international law & institutions. NATO Allies work together to bolster our cyber defences."

Assistant attorney general for national security, John Demers criticised the Russian 'disinformation' campaign. Credit: AP

The Netherlands' defence minister said the GRU had also targeted files on the MH17 plane crash investigation.

It comes after the UK government announced it had found the GRU was behind an "indiscriminate and reckless" campaign of cyber attacks around the world.

Foreign Secretary Jeremy Hunt said the GRU had targeted political institutions, businesses, media and sport in a series of cyber strikes, accusing the Kremlin of being an "organisation which is trying to foster instability around the world".

He called their protestations of innocence "fake news", and said the UK would be discussing what further possible sanctions could be imposed.

The National Cyber Security Centre (NCSC) said it had identified a number of hackers known to have launched attacks as being part of the GRU.

The move will further strain relations with Russia after Britain blamed Moscow for the nerve agent attack in Salisbury last March, which left one person dead, prompting a wave of condemnation around the world.

The NCSC linked four new attacks with the GRU, on top of previous strikes believed to have been conducted by Russian intelligence.

Among targets of the GRU attacks were the World Anti-Doping Agency (Wada), transport systems in Ukraine, and democratic elections such as the 2016 US presidential race, according to the NCSC.

Jeremy Hunt claimed the cyber attacks "serve no legitimate national security interest" - instead impacting innocent people and their lives.

Russian President Vladimir Putin. Credit: PA

He said the UK and allies would "expose and respond to" the GRU's actions.

Meanwhile, Defence Secretary Gavin Williamson said he hoped that by speaking out against Russia, the foreign power would be less likely to continue such attacks in future.

"What we have made clear is that we are not going to be backward-leaning - we are going to make it clear where Russia acts, that we are going to be exposing that action," he said.

"We believe that by doing so, this will act as a disincentive for acting in such a way in future."

The NCSC said it had "high confidence" the agency was "almost certainly" responsible for the following attacks:

  • Ransomware attack on Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets in October 2017

  • World Anti Doping Agency attack in August 2017

  • US Democratic National Committee in 2016

  • A "small UK-based TV station in 2015"

The NCSC had previously attributed the GRU with these:

  • A destructive attack targeting Ukrainian financial, energy and government sectors in June 2017

  • A VPNFILTER malware infected thousands of home and small business routers and network devices worldwide in October 2017

The NCSC said it was “almost certainly” the GRU behind a “BadRabbit” attack in October 2017 that caused disruption to the Kyiv metro, Odessa airport and Russia’s central bank.

According to the NCSC, the GRU is associated with the names:

  • APT 28

  • Fancy Bear

  • Sofacy

  • Pawnstorm

  • Sednit

  • CyberCaliphate

  • Cyber Berkut

  • Voodoo Bear

  • BlackEnergy Actors


  • Tsar Team

  • Sandworm

The Fancy Bears website has been linked by UK to the Russian intelligence service. Credit: AP

And Britain’s cyber security chiefs say they have “high confidence” Russian intelligence was responsible for a strike on Wada in August 2017.

The NCSC also stated that the GRU was “almost certainly” to blame for hacking the Democratic National Committee during the US presidential election in 2016.

And the agency pointed the finger at the GRU for accessing email accounts at a small UK-based TV station in 2015.

Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the new hacking accusations from the UK as "big fantasies".

And, asked about the accusations, a spokesman for the Russian embassy accused the UK Foreign Office of "crude disinformation" and of trying to "confuse world public opinion".

The GRU is accused of meddling in the 2016 US presidential race, won by Donald Trump Credit: AP

Britain’s relations with Russia have been in the deep freeze since the Salisbury attack which targeted former Kremlin agent Sergei Skripal.

UK authorities believe two Russians, using the aliases Alexander Petrov and Ruslan Boshirov, smeared the highly toxic Novichok chemical on a door handle at the Wiltshire home of Mr Skripal on March 4.

The attack left Mr Skripal and his daughter Yulia critically ill, and Dawn Sturgess, 44, who was later exposed to the same nerve agent, died in July.