The Organization for the Prohibition of Chemical Weapons almost played host to some unexpected visitors last spring: Russian spies.
The organization monitors the use of chemical weapons around the world and officials there were reviewing evidence of two high-profile cases; The use of toxic weapons in Syria and the poisoning of a former Russian spy in the United Kingdom.
Then, on April 12, four Russian intelligence officers stuffed a trove of hacking equipment into the trunk of a rented car, according to a 41-page Department of Justice indictment of seven accused Kremlin spies. The indictment, released Oct. 4, revealed how for nearly four years, operatives of the Russian GRU intelligence agency had been infiltrating the computer networks of unsuspecting victims in operations similar to one that took place in the Netherlands that day.
The Russian intelligence officials parked their black hatchback next to the organization’s building — a beige, eight-story edifice constructed in a semi-circle. Inside the rented car, the Russians packed a Wi-Fi antenna, batteries, a converter and a server. Assembled together, the contraption could harvest Wi-Fi credentials of far away buildings.
But when the Russians activated their equipment, Dutch intelligence officials were ready. Although the exact details of what happened next is not clear, the Russian officials fled and abandoned their hacking equipment. Inside the car remained a trove of materials, including some that placed the Russian intelligence officers at the 2016 Summer Olympics in Brazil, at a chemical lab in Switzerland and at a hotel in Kuala Lumpur, Malaysia.
Justice Department included the event in the indictment of the Russian intelligence officers, who are accused of carrying nearly a half-decade of brazen cyberattacks and hacks. The seven spies were charged with money laundering, aggravated identity theft and wire fraud.
But how these Russian intelligence officials nestled into the servers of their targets offers an insight into the advanced hacking efforts of foreign governments that are underway.
From Moscow, the Russian intelligence officials’ primary method of attack relied on simple spearphishing techniques.
In December 2014, Ivan Yermakov began a reconnaissance operation on employees of the Westinghouse Electric Company. The Pennsylvania-based company is viewed as a high-value target because its designs are similar to nearly half of the world’s nuclear power plants, according to the Justice Department. Yermakov was an intelligence officer assigned to Unit 26165, a cyber espionage centre of the GRU.
Yermakov registered a website that appeared almost exactly identical to Westinghouse’s email server. This is a common tactic in spearphishing because strategic changes in a website’s URL can fool users at a quick glance. The Russians then launched their campaign by sending emails to at least five employees of Westinghouse. The emails were designed to look as if they came from the company’s email server. But when employees of Westinghouse clicked on the link, the website was owned by the Russian intelligence agency.
Similar tactics were used when the Russians penetrated the networks of the World Anti-Doping Agency’s computer networks.
If the Russian’s primary method did not provide access into their target’s network, the group of intelligence officials took their hacking efforts on the road.
When the Russian officials wanted to hack a Canadian anti-doping official in September 2016, they traveled to Lasanne, Switzerland, to complete the task. As a Canadian official checked into a hotel, Russian agents Aleksei Morenets and Evgenii Serebriakov of the Unit 26165 allegedly hacked into the building’s Wi-Fi with specialized equipment.
Exactly what the equipment was is not clear, but the indictment suggests that the Russian intelligence officials may have used the same tools as they did in their operation against the Organization for the Prohibition of Chemical Weapons. With access to the hotel’s Wi-Fi, the Russians were able to plant customized software onto the Canadian official’s computer.
Once inside a target’s systems, the Russians deployed customized malware to swipe data. One event showed just how precise the Russians could be.
The immediate future of Russian athletics swung in the balance in January 2017.
After the world’s track and field body, the International Association of Athletics Federations, banned the Russian federation due to widespread doping allegations, officials were considering an appeal. Three weeks before the appeal’s decision was set to the announced, the Kremlin’s intelligence officials hacked into the athletic organization’s computer networks and used their suite of customized software to hunt for intelligence. The indictment laid out by the Justice Department makes clear that the Russian officials relied on this specialized suite of tools during their years of hacking.
Once inside the world track and field body’s computer networks, the Russians deployed one of their most popular tools: X-agent. The software allows for keystroke logging and file extraction, according to a report from IT security company ESET. X-agent was used to create “backdoors for long-term monitoring … in order to maximize the chance of avoiding detection,” the cybersecurity firm said.
After piercing the network, the Russian intelligence officials were apparently able to monitor the athletics officials by reviewing key logger results, monitoring Skype communications and accessing file directories.
According to the indictment, commands were sent out from a computer frequently used by Artem Malyshev, a Soviet lieutenant assigned to Unit 26165.
Some of the software the Russians used were merely modifications of readily available tools.
The Russians used X-tunnel, which allows a user to execute remote commands. X-Tunnel is an “open-source replacement” for a tool that is available on GitHub, according to Crowdstrike. The software was also used in the breach of the Democratic National Committee in 2016, according to the cybersecurity firm.
The DNC hack was executed by some of the same Russian officials who used the same tools unveiled in the Oct. 4 allegations, according to previous Justice Department’s indictments.
Crowdstrike summarized the group’s capabilities after the DNC hack, saying, “Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.