THREAD
The attempted hacking of the Organisation for the Prohibition of Chemical Weapons (OPCW) by the Russian Military Intelligence Service - the GRU - part of a sustained pattern of hostile cyberspace activity.
What we know ⬇️
The attempted hacking of the Organisation for the Prohibition of Chemical Weapons (OPCW) by the Russian Military Intelligence Service - the GRU - part of a sustained pattern of hostile cyberspace activity.
What we know ⬇️
The attempted hacking happened in April. Around that time, the OPCW was working to independently verify the UK’s analysis of the chemical used in the poisoning of the Skripals in Salisbury. The OPCW confirmed the UK’s analysis.
This operation in The Hague by the GRU was not an isolated act. The Unit involved, known in the Russian military as Unit 26165, has sent officers around the world to conduct brazen close access cyber operations.
One of the GRU officers who was escorted out of the country by Dutch authorities, Yevgeniy Serebriakov, also conducted malign activity in Malaysia.
This GRU operation was trying to collect information about the MH-17 investigation, and it targeted Malaysian government institutions including the Attorney General’s office and the Royal Malaysian Police.
We also know that the GRU officers who were stopped in The Hague planned to travel on to the OPCW designated laboratory in Spiez. This wouldn’t have been the first time they’d travelled to Switzerland.
Intelligence collected from a laptop that belonged to one of the GRU officers disrupted in The Hague, shows that it had connected to WiFi at the Alpha Palmiers Hotel in Lausanne in September 2016 - where a WADA conference was taking place.
That conference was attended by officials from the International Olympic Committee and the Canadian Centre for Ethics in Sport. They found themselves the victims of a cyber-attack.
One official from the Canadian Centre had their laptop compromised by ‘APT28’ malware; this was probably deployed by an actor connected to the same hotel WIFI network.
The British Government has publicly revealed that APT28 and a number of other cyber actors, widely known to have been conducting cyber-attacks around the world, are in fact the GRU.
The officers disrupted in The Hague are part of the same Unit of the GRU – 26165 – which is responsible for APT28
Another of the cyber actors identified as the GRU was Sandworm, which was active in the wake of the Salisbury attack. They were behind the following:
In March, straight after the Salisbury attack, the GRU attempted to compromise UK Foreign and Commonwealth Office computer systems via a spear phishing attack
In April, GRU intrusions targeted both the computers of the UK Defence and Science Technology Laboratory and the Organisation for the Prohibition of Chemical Weapons
In May, GRU hackers sent spear phishing emails which impersonated Swiss federal authorities to target OPCW employees directly, and thus OPCW computer systems
These cyber-attacks were carried out remotely – by GRU teams based within Russia.
The GRU has also interfered in free elections and pursued a hostile campaign of cyber-attacks against state and civilian targets.
With its aggressive cyber campaigns, we see the GRU trying to clean up Russia’s own mess - be it the doping uncovered by WADA or the nerve agent identified by the OPCW.
Alongside our allies, the United Kingdom is committed to confronting, exposing and disrupting the GRU’s activity.
