Feared, ruthless, stealthy, tactically astute – just a handful of the epithets that have been ascribed to Russia’s GRU intelligence agency and its allegedly extensive hacking operations around the world. Last week, the GRU acquired some less desirable ones, including “hapless” and “bungling”.
What went wrong? If the GRU blames anyone it should start with the press conference held earlier this week by the Dutch Ministry of Defence.
In excruciating detail, the Dutch explained how in April they’d caught four Russians red-handed trying to break into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) from a hired car parked outside its offices in The Hague.
Items found in the arrested men’s possession provided a trove of information. In addition to the equipment used for Wi-Fi penetration, a laptop used by one man, Yevgeny Serebriakov, was found to contain a trail of data linking him to hacking operations in several countries, including one against the World Anti-Doping Agency (WADA) which had been investigating doping by the country’s athletes.
On the laptop, he’d even stored a photograph of himself taken at the Rio Olympics in 2016, a casual act for a spy but perhaps a sign that the GRU is a modern employer embracing BYOD.
Other giveaways included a taxi receipt used by another of the men that showed he’d travelled from GRU headquarters in Moscow to the airport on April 10, the day the men flew to the Netherlands.
It also emerged that all four were travelling under their real names, including one, Alexey Morenets, who drives a car registered to the GRU’s alleged cyberwarfare department. By checking other vehicles registered to the same address, it has been claimed that the identities of another 300 other GRU operatives might have been compromised.
When picked up at their hotel, one of the four took out his phone and started stamping on it in an unsuccessful attempt to destroy its contents. The Dutch even extracted a signed confession on headed notepaper from another, stating that he was working for the GRU.
In a coordinated announcement, the US authorities indicted seven Russians (including the four arrested by the Dutch), charging them with a wide range of hacking attacks as well as wire fraud, money laundering, and identity theft.
What were the Russians doing?
From brief descriptions, it seems likely they were setting up some kind of man-in-the-middle access point designed to steal the credentials of OPCW employees after spoofing the real connection.
Hacking is often presented as a risk-free remote activity but the need for the men to get physically close to the target network makes complete sense, and probably happens all the time without anyone noticing (or noticing but dealing with it more quietly).
Nevertheless, the fact that physical proximity is a risk worth taking on so many operations is a reminder that Wi-Fi access is seen as a back door into organisations – one reason why the revised WPA3 specification set out to make it harder to set up rogues, among a number of security overhauls.
What’s really going on?
The tactic here is considered one of the most effective at disrupting nation state hacking – publicity.
Blocking and monitoring only gets you so far in cyber. Sometimes, it’s more effective that the individual human beings doing the spying and hacking are named and the methods and equipment they use is photographed and put on display as a way of demystifying their work.
Earlier this year, the Dutch served up another example that talked up their anti-GRU prowess.
Ironically, it’s an idea the Russians pioneered, the infamous example of which was their gleeful exposure of a 2006 UK spying operation that involved agents talking to a fake rock sitting in a Moscow park.
Oh how the Russian officials laughed at the British with their fake rocks.