On August 14, 2016, Evgenii Serebriakov joined thousands of other spectators at the Rio Olympics. Wearing a striped beige and yellow polo shirt, with sunglasses tucked into his neckline, Serebriakov posed for a photo with a dark-haired woman wearing a Russia t-shirt. As spectators around him found their seats, he smiled.
But Serebriakov – which may not be his real name – was not in Brazil for the sport. He's one of seven men named as part of Russia's elite hacking unit in a lawsuit from the US Department of Justice. It's alleged that the men, all working for the Kremlin's GRU intelligence unit, travelled around the world stealing data from highly confidential governing bodies and government organisations.
The men, according to the lawsuit, launched hacking operations against the World Anti Doping Agency (Wada), FIFA, a nuclear energy company based in Pennsylvania and the Organisation for the Prohibition of Chemical Weapons (OPCW), in The Hague.
Documents state they broke into hotel Wi-Fi networks, assembled make-shift hacking equipment in the back of their car, registered fake domains and conducted detailed digital surveillance of their victims. In doing so, they accessed secretive files, published them online and touted stories to journalists about the information that they had stolen. And, most of the operation was paid for in bitcoin.
Russia has denied involvement in the hacks but the governments of the Netherlands, the UK, and the US painted a painstakingly-evidenced picture of the GRU's cyberwarfare and disinformation campaigns. As well as Serebriakov, the US indictment named Alexey Minin, Oleg Sotnikov, Alexsei Morenets, Ivan Yermakov and Dmitry Badin as being GRU agents. All are accused of working for the Russian intelligence services – in the units 26165 and 74455 – between 2014 and May 2018.
The documents state Russia's worldwide hacking attempts happen in two separate ways: remotely from offices in Moscow or in complex cases at the location of the targets they are trying to hack.
The GRU's global hacking trail started to unravel as the OCPW met in April. In the days ahead of the group's meeting, Serebriakov, Morenets, Sotnikov and Minin all arrived at Amsterdam Airport Schiphol using diplomatic passports. Wearing business suits, the men were met by a diplomatic escort at the airport and taken through customs. (It is alleged a taxi receipt carried by Morenets showed his journey from the GRU's Moscow base to a nearby airport in Russia).
Once in Holland, they started their elaborate hacking operation. "Sotnikov and Minin rented a car and thereafter assembled and secreted technical hacking equipment in the car's trunk," the DoJ court document claims. On April 13, they parked the car opposite the OPCW's offices and threw a jacket over their equipment in the back of the vehicle. The equipment could be controlled by someone in the car using a laptop or remotely using a 4G connection.
As the GRU turned on the spying devices, they were detected by Dutch intelligence agencies. The Russian agents fled the scene and left all the equipment in the car. (The picture of Serebriakov at the Olympics was found on one of the abandoned devices). Investigators found the equipment had been used to login to hotel Wi-Fi networks on other alleged hacking operations. Images released from the Dutch intelligence agency show a mix of antennas and computer hacking equipment that was found in the vehicle. Phones found at the vehicle had been partially destroyed. Also included was a Wi-Fi pineapple, which can act as an internet access point and slurp up data from devices that are connected to it. All of the GRU agents were escorted from the Netherlands and not detained.
Read more: How Putin keeps the internet under state control
It's not the only international travel that was made. Serebriakov's trip to the Olympics is said to have lasted from August 13 to 19, 2016 and was made with Moronets. Following Wada's investigation into Russian doping in sport, the pair researched the hotels where Wada and other Olympic officials were staying. They provided Yermakov, who was in Russia, with details of the routers used by the hotels' Wi-Fi networks and in turn he researched security flaws within the devices.
"Using specialised equipment, and with the remote support of conspirators in Russia, these on-site teams hacked into Wi-Fi networks used by victim organisations or their personnel, including hotel Wi-Fi networks," the US indictment says. Serebriakov and Moronets also compromised the Wi-Fi network of a hotel in Lausanne, Switzerland on September 19 and managed to steal information from the laptop of a member of Canada's anti-doping agency (the Canadian Centre for Ethics in Sport).
The pair sent emails from the account of the hacked official – adding the phrase "Sent from my SamsunCopenhagen" to the end of messages – to other anti-doping officials and also used the person's login emails to access the systems of the Canadian body. Their activity was discovered when the owner of the email account checked their sent emails and discovered messages had been sent from the account – these contained malicious links. Malware allegedly installed by the Russian duo sat on the Canadian Centre for Ethics in Sport network for more than a month, until October 24, 2016. Some of this malware had been custom-created by Badin.
"The conspirators developed and utilised malware and hacking tools," the Department of Justice stated in legal documents. These included the Gamefish, X-tunnel, and Chopstick code, the majority of which have been seen before and used on other Russian-linked cyberattacks. The Gamefish code has been widely used by the Russian hacking group ATP28 – also known as Fancy Bear and is used to establish a foothold in a computer network.
The X-tunnel malware is believed to have been created specifically by ATP28 hackers to target the US Democratic National Committee around the US 2016 presidential elections. Hours before the indictment was published, the UK government officially blamed the GRU for four cyberattacks, including the one against the DNC. The UK also tied the ATP28 name to cyberattacks that were originally made to appear as coming from an Islamic State hacking group dubbed the CyberCaliphate.
When it comes to remote hacking, Serebriakov and the six other suspect GRU agents tried to keep their tracks covered. Servers and domain names were purchased using bitcoin. In some cases, it is said they mined their own bitcoin to fund the purchase of computer infrastructure.
"To further avoid creating a centralised paper trail of all of their purchases, the conspirators purchased infrastructure using hundreds of different email accounts, in some cases using a new account for each purchase," the DoJ says. In one instance it is alleged GRU hackers sent an email asking for 0.012684 bitcoin to be sent to one 34-character bitcoin address, afterward the transaction was added to the blockchain.
Investigators were able to draw links between the bitcoin payments and the computers used for creating and testing spear phishing emails. Creating phishing emails tricking people into logging into fraudulent websites – giving up their usernames and passwords – was primarily the way the accused Russian agents compromised targets.
When targeting Wada, one domain was at the centre of hacking attempts: wada.arna.org. The web address uses the letters 'r' and 'n' to look like the legitimate address: wada.ama.org. The faked domain, and a virtual private server, were registered using the name "Beula Town". The domain westinqhousenuclear.com, belonging to the nuclear power company, had 'q' swapped for a 'g'. (The company's power plant designs are used for around half of the world's operating nuclear power plants).
"These domains were intended to mimic or spoof those of legitimate websites that victims were familiar with, including webmail login pages, VPN login screens or password reset pages," the DoJ says. Separately, the US Anti-Doping Agency (ASDA) saw 24,227 attempted SQL injections, where malicious code is attempted to be inserted into websites, from 62 different sources.
In some cases, it is alleged the hackers conducted detailed research on their targets. Phishing emails were sent to victims from their bosses and colleagues, who would have had recognisable names.
And, once the GRU activists had obtained all this information what did they do with it? The majority, it is alleged, was passed back to sources in Russia but it was also publicised as part of a wider disinformation campaign. The Fancy Bear website, which has been seized by US law enforcement, published details of doping allegations against athletes and it is said the hackers specifically targeted journalists to get their name well known.
The Fancy Bears sent emails to around 70 reporters around the world, the DoF alleges. "The only condition set forth by the conspirators in such exchanges was that reporters were required to refer to the Fancy Bears’ Hack Team by name in the story and later provide a link to the story back to the conspirators."
This article was originally published by WIRED UK
