October 9, 2018

The GRU close access operation against the OPCW in perspective

(Updated: December 2, 2018)

Last Thursday, October 4, the Dutch Ministry of Defence held a press conference about how its Military Intelligence and Security Service MIVD had disrupted a spying operation by the Russian military intelligence agency GRU last April.

Four Russian operatives were caught red-handed when they tried to hack into the Wi-Fi network of the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Meanwhile, the US Department of Justice (DoJ) published a formal indictment against seven GRU officers, including the four from the Netherlands.

Here, the failed GRU operation will be compared to close access operations of the NSA, which learns us more about the methods for hacking wireless networks. There are also some answers to frequent questions about the disruption by the MIVD.



Press conference with from left to right: MIVD director Onno Eichelsheim, Defence
minister Ank Bijleveld, British ambassador Peter Wilson
(photo: Bart Maat/ANP - click to enlarge)


MIVD presentation

During the press conference, the director of MIVD, major general Onno Eichelsheim, explained the case using a 35-page powerpoint presentation with an unprecedented amount of photos and details of what had been discovered about the Russian operation.

This makes the presentation very similar to the ones from the Snowden-revelations, although they were highly classified and for internal use only, while the MIVD presentation is unclassified (in Dutch: ongerubriceerd) and, although marked as For Official Use Only, made for the general public.



Front slide of the MIVD presentation about the disrupted GRU close access operation
(click to download the full presentation)



Close Access operations

MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities.

In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials.

This sounds very similar to an IMSI-catcher (also known as a Stingray), a very expensive device that functions like a fake cell tower. It's used by law enforcement and intelligence agencies either to identify the nearby active phone numbers, or to actually intercept the calls of a particular cell phone.



The equipment found in the car of the GRU officers, clarified by a diagram
(source: MIVD - click to enlarge)


WiFi Pineapple

Besides the equipment in the car, the backpack of GRU officer Serebriakov also contained some antennas, a WLAN Booster, a WiFi Signal Booster and a WiFi Pineapple model NANO. These Pineapples, with a cost of just around 100,- US Dollar, can mimic the functions of a Wi-Fi server. They are not only used by law enforcement and penetration testers, but are also popular among criminals who use them to spoof Wi-Fi networks so that victims connect to them rather than the intended legitimate server.

As explained in the DoJ indictment, it's likely that the GRU already tried to get access to the OPCW computer network through remote hacking methods, like spear fishing e-mails. Only after that failed to result in the desired access, the agency apparently decided to sent a team to break in through close access methods. Had they succeeded, then the hacking team back in Moscow would have taken over again to exploit the access through remote means.


NSA equivalent

The GRU officers clearly planned to hack the OPCW network and infect it, a technique that wasn't yet known to the MIVD, according to director Eichelsheim. The latter sounds intruiging, but wasn't explained any further.

For an indication of what that mysterious Russian method might be, we can look at the techniques used by the NSA to hack into WiFi networks, which are also referenced to as 802.11 networks. The Snowden-trove provided several documents about this, some of which were published in August 2016 by the website The Intercept.

The NSA equivalent of the set-up found in the car of the GRU officers seems to be a mobile antenna system running software codenamed BLINDDATE. This software can also be attached to a drone to be positioned within the range ofa wireless network of interest:



The NSA's BLINDDATE Wi-Fi hacking system, depicted in the field in Afghanistan
(click to enlarge)


One of the components of BLINDDATE is a "man-in-the-middle" attack method codenamed BADDECISION, which redirects the target's wireless web traffic to a FOXACID server of the NSA. Such a server is then able to infect the target's computer with various kinds of spying malware. This method even seems to work when the wireless connection is WPA or WPA2 encrypted.



Slide from an 2010 NSA presentation of the BADDECISION Wi-Fi hacking method
(click for the full presentation)


SCS units

Such close access operations for American intelligence are usually conducted by units of the Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment).

Interestingly, the GRU team had a similar composition with Aleksei Morenets and Evgenii Serebriakov as cyber operators and Oleg Sotnikov and Alexey Minin for HUMINT support.



The GRU team arrives at Schiphol Airport on April 10, 2018. From left to right: Serebriakov
(cyber), Minin (HUMINT), Sotnikov (HUMINT), Morenets (cyber), Russian embassy official.
(source: MIVD presentation - click to enlarge)


Traveling team

According to the DoJ indictment, Serebriakov and Morenets are both members of Unit 26165, also known as the GRU 85 Main Special Service Center, traveling to foreign countries to conduct on-site hacking operations. Evidence for that was provided by Serebriakov's laptop, from which the MIVD recovered the earlier Wi-Fi connections.

It appeared that they had also been in Rio de Janeiro, Brazil in August 2016 and in Lausanne, Switzerland in September 2016, where they targeted the anti-doping agencies WADA and USADA. In December 2017 the laptop connected to a Wi-Fi network in Kuala Lumpur, Malaysia, which related to the Flight MH17 investigation. After the OPCW in The Hague, their next assignment should have been the Spiez chemical laboratory in Switzerland.

Note that Serebriakov and Morenets traveled to targets related to some of the most controversial issues of Russian politics, which indicates their importance for GRU operations.


Embassy facilities

The fact that the four men were flown in, indicates that the GRU doesn't have such a team permanently stationed inside the Russian embassy in The Hague - just like there's also no SCS unit within the American embassy, according to a 2010 slide from the NSA.

The SCS units became notorious after it was revealed that one of them had been assigned to eavesdrop on German chancellor Angela Merkel and subsequently SCS "spying sheds" were discovered on the rooftops of a number of US embassy buildings.

The Russian embassy in The Hague, which is not very far from both the prime minister's residence as well as from the OPCW building, doesn't have visible spying structures on its roof.



The Russian embassy in The Hague. About 1/3 of the diplomatic personnel can
be considered working for Russian intelligence agencies.
(photo: OmroepWest.nl - click to enlarge)


Update:

On November 30, 2018, the Dutch newspaper NRC came with a long piece about espionage by military officials from the Russian embassy in The Hague, a facility which includes six historic villas, a school, a tennis court and a range of satellite dishes, on a fenced area of ​​almost one hectare.

NRC journalists were able to identify several GRU employees working under diplomatic cover who were involved in various kinds of espionage activities. Most notable was Anton Naoemkin, who's official job at the embassy was Head of Protocol. He appeared to be the man who accompanied the GRU team at Schiphol airport as can be seen in one of the photos released in the MIVD presentation.

Naoemkin brought them to the embassy, where they were awaited by Konstantin Bachtin, who was also involved in the hacking attack, but who may also compromised the operation by constantly calling with Moscow - which may have been intercepted. NRC also mentioned that one month after the failed close access operation, the GRU conducted fishing mail attacks against the OPCW.


Questions

Referencing the "alibi" for the two Russians accused of poisoning Sergei Skripal, MIVD director Eichelsheim noted that the four GRU officers were clearly not on a holiday: they carried spying equipment, multiple cell and smartphones as well as 20.000,- US Dollar and the same amount of Euros in cash.

Also things like how Morenets tried to destroy a smartphone, several traces leading back to the GRU headquarters and the list of earlier Wi-Fi connections still stored on the laptop make the operation look sloppy and unprofessional. Actually it shows that the GRU didn't consider these kind of close access operations to be very risky, and the risk of being caught in the Netherlands not very high.


Plausible deniability

The presumed sloppiness is therefore no reason to lay back, but rather to be more alert. In hostile countries or high risk places, intelligence officers would make sure not to use and carry things that could to identify them or their mission so they can plausibly deny any accusations.

The cover story that the Russian foreign ministry came up with in this case is that there was nothing secret about trip of the four technical experts, as it was allegedly their job to test the cyber security of Russian diplomatic missions.


Prevention instead of monitoring

There were also some questions about how the Dutch services operated. Someone wondered for example why the MIVD didn't monitor the Russian hacking attempt for a short period of time in order to learn what kind of targets they were looking for - a common practice in cyber security.

During the press conference, MIVD director Eichelsheim said that the Russian equipment did not provide information about why the OPCW was targeted. We can assume that field operatives have no "need to know" for the actual purpose of the operation, which may also be classified differently. Maybe it was also already known that this particular GRU method is just used to get a general access to a network, instead of to particular users or files.

Another reason could be that the MIVD simply wanted to prevent any kind of attack on the network of an international organization like the OPCW - Dutch secret services can be quite strict when it comes to their legal tasks. This might have been different when the target had been a Dutch government agency, in which case it may be allowed to monitor a network intrusion for intelligence and prevention purposes.


Expelled instead of arrested

Another frequent question is why the Dutch authorities didn't arrest the GRU officers given the fact that they were caught red-handed. Instead, the four men had been immediately "escorted to a plane to Moscow" - not even formally expelled as some press reports suggest.

Here the most likely reason is that it's the usual practice in espionage to expel spies, especially when they operate under diplomatic cover. This not only prevents that a court case would attract public attention to intelligence failures and successes, but also that we can expect our own intelligence officials to be sent home instead of thrown in jail.



New strategy

A final question is why the MIVD came with such a unusually detailed presentation about a recent operation, given how extremely secretive the Dutch intelligence services are. But internationally there were precedents:

Last July, the US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0.

In September, the British government also identified two GRU officers ("Alexander Petrov" and "Ruslan Boshirov") as the suspects in the case of the poisoning of former GRU officer and double agent Sergei Skripal in Salisbury in March 2018.

And just before the press conference in the Netherlands, the UK National Cyber Security Centre (NCSC) came with a statement in which the GRU was accused of "indiscriminate and reckless cyber attacks" including disrupting the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets, hacking a small UK-based TV station and cyber attacks on Ukrainian financial, energy and government sectors.

This makes clear that "naming and shaming" Russian intelligence officials is a new deterrance strategy of the Western allies in the hybrid cyber and information war that Russia inflamed a few years ago.



Links and sources
- Clingendael.org: Hoe de Russen (waarschijnlijk) probeerden de OPCW te hacken
- Clingendael.org: Heads rolling at the GRU? Blundering Russian intelligence
- Spiegel.de: The Rise of Russia's GRU Military Intelligence Service
- Wired.com: How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims
- Emptywheel.net: A Tale of Two GRU Indictments
- RTLNieuws.nl: Waarom de MIVD de Russische spionnen niet liet vastzetten

2 comments:

Anonymous said...

How do the NSA/CIA/DIA TAREX operations compare to those of the SCS and EAO?

P/K said...

TAREX (or Target Exploitation) includes Close Access operations, but also other methods and it seems that the term TAREX is mainly used in a military context.

The Special Collection Service (SCS) units of CIA/NSA and the Expeditionary Access Operations (EAO, the Close Access unit of the NSA's hacking division TAO) then provide the people and the means for such TAREX operations.

See also the TAREX Classification Guide: https://theintercept.com/document/2014/10/10/target-exploitation-classification-guide/

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties