This was an unprecedented announcement; the kind of coordinated, international response Ciaran Martin, CEO of the NCSC, had alluded to months earlier in the aftermath of the Sergei Skripal affair. The GRU had, over a period of years, waged a “reckless and indiscriminate” campaign of cyber attacks, it was alleged, and here was the proof.
So certain were the intelligence community that they were willing to forgo secrecy and make public what would ordinarily stay private. For civilians everywhere this was a rare glimpse into the clandestine world of espionage; an attempt to push back against an escalating campaign of unchecked Russian interference. But what specifically did the GRU, and by extension the Kremlin, stand accused of?
The allegations were many. First, the British Government accused the GRU of masterminding a string of high-profile attacks targeting businesses in Russia and Ukraine, an unnamed UK-based television network and even the US Democratic Party.
The US Government made similar assertions when attempts were made to infiltrate the international governing body of football FIFA and the Pennsylvania-based nuclear energy company Westinghouse. Canadian officials also linked Russian intelligence to a series of security breaches at the Centre for Ethics in Sport and the Montreal-based World Anti-Doping Agency.
Sports institutions were a high priority, it seemed. Perhaps this was related to the state-sponsored doping scandal which saw Russia temporarily suspended from world athletics in 2015, or the leaking of medical records pertaining to certain British cyclists by Fancy Bear in 2016 – one of many pseudonyms NCSC now attributes to the GRU.
It was the Netherlands who made the most damning accusations, however. In April 2018, four Russians were detained and later deported by Dutch authorities. Each held a diplomatic passport, and the four were found to be in possession of sophisticated surveillance equipment. These were members of GRU Unit 26165, it was alleged, also known as ATP28 – another known alias.
Their apparent target was the Organisation for the Prohibition of Chemical Weapons (OPCW), which had been investigating both the use of chemical weapons in Syria and the poisoning of Sergei Skripal in Salisbury a month earlier. Their apparent objective was to disrupt IT infrastructure in the building, via close or ‘drive-by’ attacks on Wi-Fi networks – standard practice in cybercraft.
Crucially, among the equipment seized was a laptop previously used to infiltrate a high-profile investigation into the downing of Malaysia Airlines Flight MH17 over territory held by Russian-backed Ukrainian separatists. All 298 people on board were killed. The missile itself is said to have belonged to a Russian brigade – a claim the Kremlin refutes to this day.
In response to these announcements, Foreign Secretary Jeremy Hunt issued an incendiary statement, saying: “The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
“Our message is clear,” Hunt concluded. “Together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
Those sentiments were echoed by NATO, as Secretary General Jens Stoltenberg later confirmed: “NATO Allies stand in solidarity with the decision by the Dutch and British Governments to call out Russia on its blatant attempts to undermine international law and institutions. Russia must stop its reckless pattern of behaviour, including the use of force against its neighbours, attempted interference in election processes, and widespread disinformation campaigns.
“In response, NATO will continue to strengthen its defence and deterrence to deal with hybrid threats, including in the cyber domain.”
The readiness of the international community to rally behind the Dutch and UK Governments is telling. These attacks demonstrate not only the capabilities of the GRU, but also the long reach of Russian intelligence. The attempt on the OPCW sets an especially troubling precedent and has a number of implications for Syria and the Middle East.
According to Ross Rustici, Senior Director of Intelligence Services at Cybereason: “The allegations of the GRU attempting to hack the OPCW fall under standard international spying. The OPCW is one of the lead bodies investigating the use of chemical weapons in Syria. The information that does not make it into the official reports has very valuable intelligence for the Russian military operating in and supporting Syria.”
Predictably, the Russian Foreign Ministry has dismissed the allegations as “western spy mania”, later claiming Russia was the victim of “yet another stage-managed propaganda campaign“. There is a feeling of futility too; what ultimately has this transparency accomplished? Is it realistic to expect Russia to de-escalate its cyber operations? Many in the defence and security sector think not.
“Unfortunately, this latest round of public announcements is going to do little to influence how Russia operates,” added Rustici. “The fact that almost everything that is being discussed today is a demonstration of Russia’s effectiveness in this space only shores up their confidence in using these techniques as a way to influence and undermine European and American preferred outcomes.”
But if the international community is able to come together, as it has done here, the efforts of the GRU to destabilise Europe and the western world could well backfire. In many ways, a united front is the best possible deterrent against Russian intrusion.
If you would like to join our community and read more articles like this then please click here.
Cyber Cybereason GRU National Cyber Security Centre NATO Russia terror