For decades Russia’s military intelligence agency, the GRU, lived in the shadow of Moscow’s other better-known spy organisations like the KGB and, since the end of the cold war, the FSB.
But in the space of a month, the agency has been thrust firmly into the spotlight as western governments and security services line up to blame it for a string of malign operations, which have taken Moscow’s relations with the west to a new low.
On Thursday, in a carefully choreographed international diplomatic effort, the British, Dutch and US governments took the unprecedented step of shattering the code of silence that traditionally characterises the world of intelligence, publishing painstaking details of cyber-attacks and covert international operations carried out by the GRU’s Unit 26165.
The UK’s Foreign Office went first, using technical assessments from Britain’s National Cyber Security Centre, part of communications intelligence service GCHQ, to point the finger of blame at the GRU for six international cyber-attacks since 2015.
Dutch security services then went further, publishing photographs, passport records and CCTV images of four Russian GRU agents accused of carrying out a cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW), the international chemical weapons watchdog, in The Hague.
The details, coming a month after British police named and published images of another two alleged GRU agents they believe carried out a nerve agent attack in Salisbury, are likely to have made Moscow’s spymasters even more uncomfortable.
Among the information released by the Dutch authorities was a taxi receipt used by one of the four agents, Aleksei Morenets, to travel from the Moscow street where the GRU is based to the city’s Sheremetyevo airport on April 10 — the date the group flew to the Netherlands.Dutch authorities also revealed that the laptop of another of the men, Evgenii Serebriakov, contained proof that he had been active in Malaysia, targeting an investigation into the crash of Malaysia Airlines Flight MH17.
Finally, it was the US’s turn to weigh in, as the Department of Justice announced indictments against seven Russian GRU agents, including four of the men named by the Netherlands, for computer hacking, wire fraud, identity theft and money laundering.
The operations unearthed by an FBI investigation between 2014 and 2018 were conducted in locations including Rio de Janeiro, the Swiss city of Lausanne and the US state of Pennsylvania. The targets ranged from international sports bodies such as the world football governing body (FIFA), the International Association of Athletics Federations (IAAF) and the International Olympic Committee (IOC), to US companies like Westinghouse Electric Company.
When remote attacks conducted from the GRU’s headquarters in Moscow failed, the US authorities said, teams of supposedly covert operatives were dispatched to carry out “close access” hacking attempts.
Cyber security experts have in the past attributed many of the cyber-attacks to the GRU’s hacking unit, which goes under a host of different names including Fancy Bear, Sandworm and, most commonly, APT28. But the decision by western governments marks a ratcheting up of the pressure on Moscow and a determination to expose the GRU’s methods and activities.
Disrupt and degrade GRU
Despite this, one UK government official insisted the west was not seeking to escalate tensions with Moscow.
“Our quibble is not with the Russian people. Our aim is to disrupt and where we can degrade the capabilities of the GRU,” said the official.
One of the questions to emerge from the series of cyber-attacks and the nerve agent attack on the former Russian double agent Sergei Skripal in March is why highly trained agents from one of Russia’s elite spying agencies would appear to be acting with such apparent recklessness.
In the Dutch operation to target the OPCW, for example, the four agents are photographed being met at Schiphol airport by a diplomat from the Russian embassy in the Netherlands.
One possible explanation is that the GRU’s cyber-attack unit is being deployed at short notice, forced to cut corners and take unnecessary risks. This would appear to be backed up by a belief among senior UK government officials that the GRU cyber teams were being used primarily to attack and disrupt international institutions whenever Russia found itself accused of breaking rules.
“There seems to be a correlation between this activity by the GRU and situations where Russia finds itself coming under international pressure,” said one UK official.
Others argue it simply reflects an increasingly hostile attitude from the Kremlin.
“They have got a lot more brazen,” said Sir Tony Brenton, a former UK ambassador to Russia. “Moscow is in a pretty paranoid state about the west and organisations that it sees as cat paws for the west, like the OPCW.”
Western governments appear to be calculating that the only way to tackle such hostility is to continue to shine a light on the GRU’s activities. Whether it will deter Russia’s cyber warriors is another matter altogether.
“There’s not much point in naming and shaming someone who doesn’t feel shame,” said Keir Giles, an expert in cyber and information warfare at the think-tank Chatham House.
Copyright The Financial Times Limited 2018
According to a presentation given by the head of the Netherlands' military intelligence agencyexternal link on Thursday, four Russian GRU agents arrived in the Netherlands on April 10 this year and were caught with spying equipment at a hotel next to the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
The four were detained on April 13 and expelled to Russia, Dutch Major General Onno Eichelsheim said. They had planned to travel on to a laboratory in Spiez, Switzerland, used by the OPCW to analyse samples. Dutch agents recovered evidence including train tickets from Utrecht to Basel for April 17, as well as Google Map printouts of Russian consulates in the Swiss cities of Bern and Geneva. Russia called the accusations unfounded.
Two of the Russian agents expelled by the Netherlands are also being investigated by the Office of the Attorney General of the Swiss Confederation in a probe opened in March 2017. They are suspected of having tried to organise a cyber-attack against the World Anti-Doping Agency (WADA) office in Lausanne.
Swiss public television, RTS, reported on Thursdayexternal link that the Dutch documents indicated the presence in Switzerland of the two Russian agents. They showed that they used the wi-fi network of two Lausanne hotels, the Lausanne Palace and Alpha Palmiers, between September 20 and 22, 2016. A WADA Executive Committee meeting took place in Lausanne on September 21.
Relations between Switzerland and Russia have been strained in recent weeks after Russian diplomats were suspected of large-scale espionage in Switzerland. Russia denies the allegations.
Commenting on Switzerland’s more reserved approach to the Russian spying allegation compared to other western countries, the NZZ newspaper said on Fridayexternal link that “now is the time to put restraint aside”. It said Switzerland appeared to “stand on the sidelines” despite alleged attacks against two Swiss-based institutions, the Spiez lab and the WADA office.
Switzerland, NZZ wrote, “can no longer stand idly by and watch as its sovereignty is apparently trampled underfoot. If hostile actions presumably take place on Swiss territory, neutrality can no longer be the top priority”.end of infobox