Putin’s hapless hackers caught red-handed in Holland inadvertently outed more than 300 other agents in their most extraordinary blunder, it was revealed today.
Spy agencies around the world now have a database of hundreds of Russian agents – all because two of the men caught in The Hague had diplomatic passports using their real names and dates of birth.
News agency Bellingcat, who revealed the true identities of the Salisbury assassins, say the two men are both registered as living at the GRU’s Military Academy in Moscow.
Alexey Morenets’ Lada is also registered at GRU’s cyber warfare department down the road – and investigators say by searching other vehicles registered to the same address they have identified 305 other members of the 26165 unit accused of hacking targets all over world.
To add to Mr Putin’s embarrassment the leaked list includes his spies’ names, dates of birth and mobile phone numbers – unmasking and effectively dismantling his most elite cyber attack unit.
Adding to the Russian President’s woes, it was also revealed today:
The extraordinary moment the four ‘dumb Bonds’ were arrested at the Marriott in The Hague was revealed by the hotel’s manager today.
Vincent Pahlplatz said police arrived at the hotel in the city’s upmarket Statenkwartier district and asked him what rooms the men were in when the spies all emerged from the lift.
But there were ‘no guns, no handcuffs or force’ and the men left calmly until one threw his smartphone on the ground and started stamping on it.
Mr Pahlplatz told AFP: ‘The police went to the front desk and said we would like to talk to a few of your guests,” Pahlplatz told AFP. At that very same time, the four men came out of the elevator into the lobby, coincidentally.
‘The police officers simply told the men: “Will you please follow me’ — and they did”. They followed the police outside and never returned. Some people were checking in and they didn’t even notice what was going on’.
He added: ‘It sounds like James Bond but there was no James Bond involved. No Aston Martins, no revolving number plates, nobody sky diving from the rooftop. It’s a very dull James Bond story’.
The West vowed last night to dismantle Vladimir Putin’s cyber war network amid warnings he could target a UK power station after a wave of ‘reckless’ attacks.
In a dramatic move yesterday, British and Dutch authorities named four members of Russia’s GRU military intelligence unit caught red-handed trying to infiltrate the inquiry into the Salisbury poisoning.
The four bungling officers were captured in the act during an extraordinary attempt to hack into the world’s chemical weapons watchdog – while sitting in a car outside its headquarters.
Security officials also accused the GRU of mounting cyber attacks against the Foreign Office and the military laboratory at Porton Down.
Hours later, the United States accused a string of Kremlin agents of trying to hack into anti-doping bodies and a nuclear power station.
Whitehall sources said they were confident the EU would approve sanctions against Russia this month to target those involved in the use of chemical weapons. The decision to reveal unprecedented details of a counter-espionage operation – which leaves relations between Russia and the West at a post-Cold War low – was designed to humiliate Putin, and expose the Kremlin’s ‘malign’ activities around the world.
Calling Russia a ‘pariah state’, Defence Secretary Gavin Williamson said: ‘Where Russia acts in an indiscriminate and reckless way, which they have done in terms of these cyber attacks, we will be exposing them.’
Foreign Office minister Sir Alan Duncan warned that Russia could try to shut down a British power station or bank next. He said: ‘On the one level this is frankly absurd and comical because they have been so cack-handed. But also it’s very dangerous because the next target could be a power station or trying to stop a bank from doing its work. They are doing very, very dangerous and malign things.’
The gang of four GRU spies, who operated under the codename Sandworm, targeted the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague in April, when officials were trying to confirm the origin of the novichok nerve agent used to poison former spy Sergei Skripal.
But Dutch intelligence agents, acting ‘in partnership’ with their British counterparts, intercepted the Kremlin spies in a hotel car park near the OPCW headquarters.
The inept GRU officers – who have been deported to Moscow – were caught trying to hack into the organisation’s computers using equipment hidden under a coat in the back of their hired car.
It was reported last night that they escaped criminal charges because they carried diplomatic passports.
The gang left behind a treasure trove of evidence about Russia’s techniques and their links to the GRU.
These extraordinary errors included:
Russia dismissed the dossier as ‘Western spy mania’. Its foreign ministry said the allegations were a ‘rich fantasy of our colleagues from Britain’.
But the botched operation is a severe embarrassment for Putin and follows the failed assassination attempt against Mr Skripal in March. A UK security official said: ‘For GRU officers to be caught in this way would be considered a pretty bad day at the office.
‘Judging from past form elsewhere, discrediting the (Salisbury) investigation could well have been their motivation.’
It emerged last night that one of the GRU gang, Yevgeny Serebriakov, played in a Moscow football side known to opponents as the ‘security service team’.
In a joint statement last night, Theresa May and Dutch prime minister Mark Rutte said the decision to go public with their findings was designed to shine a light on the GRU’s ‘unacceptable’ behaviour. ‘The GRU’s reckless operations stretch from destructive cyber activity to the use of illegal nerve agents, as we saw in Salisbury,’ they said. ‘That attack left four people fighting for their lives and one woman dead.’
The leaders said the co-ordinated response showed the West was ready to ‘uphold the rules-based international system and defend international institutions from those that seek to do them harm’.
Britain’s ambassador to the Netherlands, Peter Wilson, also revealed that the GRU’s cyber-warfare arm launched a so-called ‘spear-phishing’ attack against the Foreign Office. The attack, which involved sophisticated fake emails, was detected and blocked by the UK’s cyber-defence systems.
A similar remote attack was detected the following month against Porton Down, the military lab which first identified the use of the Cold War nerve agent novichok in Salisbury.
Foreign Secretary Jeremy Hunt said yesterday’s revelations would show the world what Putin was up to, adding: ‘This is the evidence… that what we are getting from Russia is fake news, and here is the hard evidence of Russian military activity.’
He said the West would work together ‘to counter this pattern of cyber attacks – the new type of attack that the whole world is having to deal with’.
, 41, is an officer in Russia’s GRU and believed to be one of its top hackers – but also responsible for most extraordinary blunder of The Hague mission.
It appears that Morenets inadvertently outed more than 300 other agents working for the GRU in Moscow.
Investigators have found he travelled on a diplomatic passport using his real names and date of birth.
News agency Bellingcat, who revealed the true identities of the Salisbury assassins, say he is registered as living at the GRU’s Military Academy in Moscow.
Morenets’ Lada is also registered at GRU’s cyber warfare department down the road – and investigators say by searching other vehicles registered to the same address they have identified 305 other members of the 26165 unit accused of hacking targets all over world.
To add to Mr Putin’s embarrassment the leaked list includes his spies’ names, dates of birth and mobile phone numbers – unmasking and effectively dismantling his most elite cyber attack unit.
The online expert also uses the online nicknames Lexa and Alexey, according to the FBI, and even uploaded a picture of his face to the website mylove.ru using a photograph taken in the Russian capital.
When he wasn’t targeting anti- doping agencies and helping spread fake news in a bid to level allegations of substance abuse at western athletes, the 41-year-old appeared to be seeking women aged 21 to 30 in Moscow.
It was also possible to geolocate the profile to within 650 feet of the GRU headquarters.
And the profile picture appears to have been taken close to the intelligence base. The famous Panasonic building is clearly in shot, indicating it was taken on Komsomolsky Prospekt.
, 37, also known as Zhenya, is believed to be hiding in Moscow.
The cyber expert used an email with the name Casey Ryback, a character played by Steven Seagal in the film Under Siege, which tells the story of terrorists attacking an American ship.
His laptop was packed with details about previous misisons and even contained selfies from the 2016 Olympics in Brazil where Russian athletes’ doping samples were tampered with and US athletes’ medical records leaked.
His computer also had the Spiez laboratory in its search history and train tickets to Bern where a wanted to hack more chemical weapons inspectors.
He was travelling under his real name and date of birth – and in another fatal error was registered as living at the GRU’s Moscow headquarters.
, 30, is described by the FBI as a ‘senior lieutenant’ in Unit 26165.
Born in a small rural town near the picturesque Valdai National Park in the north west of Russia, he went on to become a member of the GRU’s hacking unit.
Documents released yesterday state he used the names ‘djangomagicdev’ and ‘realblatr’ online as part of the hacking conspiracy.
The FBI want him over the hack on the 2016 US presidential election, with the indictment stating he stole and released documents ‘to interfere with the election’.
He is also charged over a wider group of offences, related to hacks on the World Anti-Doping Agency (Wada) and the US anti-doping agency.
Baby-faced 32, was born in the grim, industrial Chelyabinsk region of eastern Russia.
US authorities say he was involved in one the first hacks attributed to Unit 26165, reconnaissance of Westinghouse Electric Company’s (WEC) in Pennsylvania, a company involved in the supply of power to the Ukraine.
FBI documents state he would often pose as women online.
He used the names Kate S. Milton, James McMorgans and Karen W. Millen online.
Yermakov was also involved in ‘spearphishing’ attacks on WADA in 2016, and activities at the Rio Olympics.
, 27, is the youngest of the seven men named by the US yesterday as being part of the hacking group.
He was previously named among 12 agents who allegingly hacked into American computers to interfere with the 2016 presidential election.
He was born in Kursk, close to Russia’s border with Ukraine, a city which is forever associated with the Soviet Union’s tank battle victory over the Nazis in the Second World War.
He has previously been described as an ‘Assistant Head of Department’ in the GRU hacking squad.
The latest FBI poster states he is wanted over ‘computer intrusions of the United States Anti-Doping Agency (USADA), the World Anti-Doping Agency (WADA) and other victim entities during the 2016 Summer Olympics and Paralympics and afterward’.
Hackers’ minder and GRU spy , 46, appears to have been in The Hague to protect two hackers trying to break in the OPCW’s WiFi.
Bearded Minin is one of the oldest in the group and could be the man who stamped on his phone after being arrested in Holland in April
The FBI appear to know little about him including where he was born, his date of birth or if he has any aliases.
But it is believed he is an intelligence officer who accompanies and protects GRU hackers on their worldwide trips.
He is wanted for conspiracy to commit computer fraud, conspiracy to commit wire fraud and conspiracy to commit money laundering, the US State Department said yesterday.
The FBI wanted poster also says he should be considered ‘armed and dangerous’ and he is believed to be in Russia.
, 46, appears to be a Russian agent in Holland to protect the GRU’s cyber experts.
The FBI said he is wanted for money laundering offences in the US and may have been involved in criminal activities since 2014.
Like his comrade Minin, little is known about him, including his real name because Sotnikov is believed to be his alias.
He posed for a photograph found on Serebriakov’s laptop outside a Dutch station when they bought tickets for their next mission in Bern.
But the team never made it to Switzerland after they were arrested in the Marriott in The Hague and deported from Holland.
Sotnikov is considered armed and dangerous and believed to be in Russia.
, 55, is the oldest member of Unit 74455 and is thought to order operations from Moscow.
He was born in the small city of Obninsk, not far from Moscow in 1962, when Soviet leader Nikita Khrushchev was in power.
Pictures show the well-decorated officer dripping in medals, suggesting he has enjoyed and long and successful military career. He is likely to have been in the GRU at the same time as double agent Sergei Skripal.
The FBI say Osadchuk ‘held the rank of Colonel and was the commanding officer of Unit 74455’. His wanted poster adds: ‘Osadchuk was last known to be located in Moscow, Russia’.
He is wanted over the US election hacking.
Western intelligence yesterday revealed the trail of clues that bungling Russian spies known as Unit 26165 left in their wake as they waged a war of disinformation across the globe.
Kremlin agents working for the GRU targeted FIFA, the World Anti-Doping Agency and the Organisation for the Prevention of the use of Chemical Weapons as it investigated both the Salisbury novichok attack in the UK as well as the Douma chemical weapons attack in Syria, the international investigation of the downing of MH17 and a US company providing nuclear power to Ukraine.
President Vladimir Putin’s elite squad even created the fake ‘hacktivist’ group Fancy Bears to disseminate misleading statements designed to exonerate Russia of doping allegations and instead level them at the US.
But it was yesterday revealed that the spies left a trail of clues including blunder after blunder during their international campaign.
The bungling started when four Unit 26165 spies – two cyber specialists and two field agents – were caught in the Hague trying to use a fake wireless router to acquire logins to the wireless network of the Organisation for the prohibition of Chemical Weapons in April.
At the time the OPCW was investigating the GRU’s Novichock attack on Sergei Skripal in Salisbury.
One spy was caught with a mobile phone that had been activated on the GRU’s doorstep in Moscow. Then a taxi receipt revealed a journey from GRU headquarters to Moscow’s Sheremetyevo airport the very day that four agents arrived in Amsterdam, when two of the spies were seen using consecutive passport numbers.
Operatives who would later be found to have cleared out an Aldi bag of empty lager cans from their hotel room to try and hide DNA evidence.
And when the men were arrested, they were caught with €20,000 (£17,000 or $23,025) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops.
One laptop even contained selfies from the 2016 Olympics in Brazil where Russian athletes’ doping samples were tampered with and US athletes’ medical records leaked.
And late last night it was revealed that a laptop had the Spiez laboratory in its search history. Train tickets revealed that the spies planned to visit the centre in Bern on April 17. It houses the Swiss body that protects the population against nuclear, biological and chemical attacks or other dangers.
The revelation came as the website Bellingcat circulated a dating profile thought to belong to agent Alexei Morenets – whose geolocation was listed as within 650 metres of the intelligence service’s headquarters. The site also found the spy’s car registered to the GRU’s department for cyber warfare using a 2011 database of ownership.
Another agent, Evgenii Serebriakov, used an email with the name Casey Ryback, a character played by Steven Seagal in the film Under Siege, which tells the story of terrorists attacking an American ship, today’s The Times reports.
Operatives used a laptop, Wi-Fi dongle and a rudimentary battery pack stored in the boot of a rented Citroen C3 in a botched cyber attack on the global chemical weapons watchdog.
Using a technique from the early days of Wi-Fi, they attempted to break into the Organisation for the Prohibition of Chemical Weapons’s network in The Hague by tricking staff into logging into their fake router.
They parked the car at a local hotel and disguised the Wi-Fi antenna hidden inside the router, so staff would login. The laptop then stole their username and password, allowing the agents to get into the OPCW’s network.
Through the network they could spy on operations within the building, including investigations into the Salisbury Novichok attack.
It also emerged today that Russia’s bungling GRU agents left a trail of clues that helped authorities link them to the string of cyber attacks.
Among the items revealed at an extraordinary briefing in The Hague was a mobile phone one of the men was caught with having been activated near the Russian military intelligence’s headquarters in Moscow.
Also discovered on one of the spies was a taxi receipt showing a journey from a street next to the GRU base to Moscow Airport on , the day that the four agents later arrived at Amsterdam Schiphol Airport.
The team of four GRU officers travelling on official Russian passports entered the Netherlands on April 10 – but it turned out that two of them were carrying documents with consecutive passport numbers.
On , they hired a Citroen C3 and scouted the area around the OPCW – all the time being watched by Dutch intelligence. To hire the car they were required to give their addresses – and the operatives opted for Moscow locations, according to The Times.
The agents, who stayed at a Marriott Hotel next to the Organisation for the Prohibition of Chemical Weapons in The Hague, were also found to have used public WiFi hotspots to conduct their operations in the Netherlands.
And they were photographed performed reconnaissance of the OPCW headquarters, where the nerve agent sample was being independently verified.
When leaving The Hague, the men took all the rubbish from their room – including empty cans of Heineken beer and what appeared to be an empty cold meat packet in an Aldi bag – in a further bid to cover their tracks.
On , the GRU officers were said to have parked a rental car with specialist hacking equipment outside the OPCW’s headquarters to breach its systems – but British and Dutch intelligence thwarted the operation.
And when the men were arrested, they were caught with €20,000 (£17,000) and $20,000 (£15,000) in cash. The group also tried – and failed – to destroy a mobile phone, and they were caught with incriminating laptops.
A researcher has revealed that the rudimentary technique they used to hack into the OPCW is common – though it has never been used in such a high-profile case.
Professor Alan Woodward, a computer scientist at the University of Surrey, said the Russians likely used an ordinary laptop attached to a directional antenna, which was pointed at the OPCW building.
He said unlike more common remote hacking techniques, the GRU agents needed to park close to the site in order for the WiFi signal to be strong enough.
However, before they could initiate the attack, Dutch counter-intelligence officers descended on the vehicle and seized the men, who were kicked out of the country.
The Dutch Defence Ministry took the extraordinary step this morning of naming and picturing four Russian agents caught as they tried to carry out the cyber attack.
Looking at the equipment in the boot of the car it appears they were attempting to intercept login credentials as people tried to connect to the WiFi network at OPCW, Professor Woodward said.
‘A classic way of doing this is to set yourself up as what is known as an ‘evil access point’, he told MailOnline. ‘You pretend to be the network they are attempting to connect to and steal their login details as their computer or phone tries to connect.’
The cyber security expert said it was unusual for high level intelligence officials to use such a rudimentary form of attack. ‘[The technique] has been around as long as WiFi has,’ he told MailOnline.
‘Attacks have evolved as security in WiFi has evolved. But it’s so basic that most enterprise style organisations are well protected. Hence the high profile cases tend to be from some more remote source.’
Even if the security analysts were already attached to a WiFi, the attackers would have been able to launch a ‘deauthentication attack’.
This automatically disconnects them so their device tries to reconnect. The directional antenna were pointing specifically at the OPCW offices which means the fake network – the ‘evil access point’ – would have had a stronger signal than the real signal.
This would have lured the devices away from the real network. ‘Once you have someone’s login credentials you can obviously access the WiFi as an attacker if you are in range, which this vehicle apparently was’, Professor Woodward said.