Information operations · Information Warfare · Russia

Russian GRU Hackers Caught Red-Handed At OPCW

Four Russians with diplomatic passports were expelled by the Netherlands after an alleged cyberattack

Four Russian GRU agents were caught red-handed trying to break into the OPCW in the Hague. 

They were attempting to do close-access operations, which is hands-on the targeted network, server, or computer. 

Two of the spies were cyber ‘operators’ and two were HUMINT intelligence officers. 

That they were caught indicates a lack of proper preparation, a lack of agent recruitment (someone with clearance and access), and a mind-numbing arrogance for which the GRU is becoming routinely associated. 

The attack occurred during the OPCW  investigation of a chemical weapons attack in Syria and the novichok attack on the Skripals, which Russia wants its role hidden, disguised, and any evidence wiped out. 

Not only were the GRU agents who placed the novichok on the Skripals doorhandle identified and publicly outed, but the GRU agents sent to remove or damage the files of the OPCW investigation into these incidents were caught at the OPCW headquarters.

Tradecraft 101, guys.  I guess you weren’t paying attention at the MDA. 

Overall, seven Russians were charged with the attack against the OPCS. 

The remaining three were accused of hacking in support of the 2014 Sochi Olympic doping scandal.

The Russians have been responding. Our friend, Igor Panarin,

Igor Panarin, political analyst, “I consider the time chosen in the context of a general offensive against Russia, when almost every day there are statements from various countries, primarily the United Kingdom, the United States, now the Netherlands, aimed at demonizing Russia and creating a certain negative background. It seems to me that the Netherlands, dependent on trade with Russia, is under British pressure. Yesterday, the Russian president clearly stated his position on the “Scripal case”. I think the British leadership did not like it, today new information followed in order to poison Russian-Dutch relations and worsen the general background around Russia. ”  (

And, from an anonymous source at the Russian Foreign Ministry, 

“We are entering into all structures of the organization, why should we hack? We have access, the entire network is open to us. This is more nonsense.” (

Of course, it is an attack against Russia, reporting the truth.  Russia loves presenting itself as the victim.  I suppose these gentlemen were visiting a cathedral in The Hague and sightseeing?  RT, Margarita, time for your interview!

Russian response to all reports of Russian operations against the West: 

  1. Deny, deny, deny.
  2. Obfuscate
  3. Alternate theories
  4. Attack the source

Check, check, check, and check.

</end editorial>

Russian GRU agents ‘caught hacking chemical weapons watchdog’

The Times

Extensive details of a bungled Russian cyber attack on the headquarters of the international chemical weapons watchdog in The Hague have been released as Western powers step up pressure on Vladimir Putin’s spy network.

Four officers from Russia’s military intelligence service, the GRU, were caught “in flagrante” in a joint Dutch-UK operation on April 13, according to Whitehall officials. The spies were attempting a so-called “close access attack” to compromise the Organisation for the Prohibition of Chemical Weapons (OPCW) at a time when the international body was investigating the Salisbury novichock poisoning and chemical attack on Douma, Syria.

Equipment seized in the operation pointed to previous attempts to hack investigations in Malaysia into the downing of MH17, and in Switzerland thought to be on the World Anti-Doping Agency.

The passport photographs of the four agents caught trying to hack into the OPCW
The passport photographs of the four agents caught trying to hack into the OPCW
Pictures of the four men released by Dutch authorities today
Pictures of the four men released by Dutch authorities today

London also released details of two other failed cyberattacks that took place around the same time — one on the Foreign Office after the Salisbury poisonings and another on the Ministry of Defence’s Defence Science and Technology Laboratory in Porton Down in April.

Both were so-called “spear phishing” attempts in which spoof emails loaded with malware are sent remotely to targeted organisations with the aim of compromising their wider computer systems.

The decision to release extensive details follows Theresa May’s promise to step up the disruption of Russian spying at the time of the identification of the two suspects of the attempted assassination of Sergei Skripal.

Technical equipment was seized from the boot of the agents’ car
Technical equipment was seized from the boot of the agents’ car

In a Commons statement on September 5th, she said Salisbury was “not a rogue operation” and would “almost certainly” have been approved at a “senior level of the Russian state”.

The trove of information collected in the Hague operation last April today helps explain that stance and moves responsibility closer to the Russian president.

In a statement Sir Alan Duncan, the minister for Europe, said: “This operation in The Hague by the GRU was not an isolated act. The Unit involved, known in the Russian military as Unit 26165, has sent officers around the world to conduct brazen close access cyber operations.

“One of the GRU officers who was escorted out of the country by our Dutch colleagues, Yevgeniy Serebriakov, also conducted malign activity in Malaysia.

“This GRU operation there was trying to collect information about the MH-17 investigation, and it targeted Malaysian government institutions including the Attorney General’s office and the Royal Malaysian Police.”

Among the details released today included a taxi receipt from GRU headquarters to Moscow’s airport as well as a picture of one of the men with an unidentified female at the Brazil Olympics. Two of the passport numbers were sequential. The motivation appeared to be as much to ridicule their spycraft as to prove their responsibility.

The four-man team was arrested as they parked a rented car outside the OPCW headquarters
The four-man team was arrested as they parked a rented car outside the OPCW headquarters

Dutch intelligence officers caught the four-man team as they parked a rented car outside the OPCW headquarters in The Hague. Technical equipment seized in the boot of the car, covered with a coat yielded “significant amounts” of intelligence, according to officials.

The equipment included phones and laptops with details of reconnaissance operations at the Hague and details of previous trips.

“It’s hard to know their full intent as their operation failed but judging from their past form elsewhere it could have been to discredit the investigation,” said a UK security official.

The men had arrived in Holland on official diplomatic Russian passports in rented a car
The men had arrived in Holland on official diplomatic Russian passports in rented a carDUTCH MINISTRY OF DEFENCE

The Dutch authorities released CCTV images of the four men arriving at Schiphol Airport as well photographs of their passports. They were named them as Alekski Morenets, described as a cyber operator, Evgenii Serebriakov, also a cyber operator, Oleg Soktnikov, described as humint (human intelligence) support and Alexey Minin, also humint support.

The men were escorted to the airport and sent home — a decision that was taken by the Dutch government. It is not clear why the men weren’t arrested but sources pointed out that they were travelling on official passports and that the primary aim of the operation was to disrupt the attempted attack rather than build a criminal case.

The men had arrived on April 10 on official diplomatic Russian passports in rented a car. They spent several days in a hotel, carefully removing their rubbish and carrying out reconnaissance. UK officials refused to say whether MI6 had tipped off their Dutch colleagues but it is clear they were being watched. They were apprehended as soon as they parked their car outside the OPCW HQ. One stamped on a smart phone in an apparent attempt to destroy evidence.

The details were revealed today after Britain accused the GRU of a wave of other cyberattacks across the globe.

Jeremy Hunt, the foreign secretary, said that the GRU was waging a campaign of “indiscriminate and reckless” cyberstrikes against political institutions, businesses, media and sport.

The National Cyber Security Centre (NCSC) said that a number of hackers known to have launched attacks had now been linked to the GRU.

Moscow has lashed out angrily at what it called “hellish” British allegations.

“The rich fantasy of our colleagues from Britain knows no borders,” said Maria Zakharova, the Russian foreign ministry spokeswoman.

Ms Zakharova said Mr Hunt’s statement was part of a British campaign to discredit Russia that also included allegations that GRU officers carried out the Salisbury poisonings in March.

“This is a hellish perfumed mixture,” she said, a reference to the fake Nina Ricci perfume bottle that British police say was used to transport the novichok nerve agent used in the Salisbury attack on Sergei Skripal, a former Russian double agent.

“I’d like to see the people who think all this up. It’s possible they are just judging by themselves, and describing what they themselves do,” Ms Zakharova added.

A spokesman for the Russian embassy said: ‘This statement is reckless. It has become a tradition for such claims to lack any evidence. It is yet another element of the anti-Russian campaign by the UK government.”



One thought on “Russian GRU Hackers Caught Red-Handed At OPCW

Comments are closed.