Russia mounted a cyber attack on the global chemical weapons watchdog while it was investigating the Salisbury spy poisoning, the British and Dutch security services have revealed.
The Dutch authorities named four GRU operatives who travelled to Amsterdam and attempted to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) network directly.
The four men - named as Alexei Moronets, Evgeni Serebriakov, Oleg Sotnikov and Alexei Minin - flew from Moscow to Amsterdam on April 10 on official passports, where they were met by a Russian embassy official.
Three days later, they parked in a rental car outside a hotel near the OPCW building, with specialist technical equipment in the back of the vehicle designed to hack into the watchdog’s network.
The attempt on the OPCW headquarters followed unsuccessful "spearfishing" attacks by the GRU on the Foreign Office and on the defence laboratories at Porton Down, which was also investigating the Salisbury.
Foreign Secretary Jeremy Hunt said Russia could face further sanctions in the wake of "hard evidence" the Russian military hacked the OPCW.
Computer equipment and a WiFi panel antenna set up for hacking were found in the car's boot CREDIT: DUTCH MINISTRY OF DEFENCE
The men were apprehended by Dutch authorities and sent back to Moscow.
Their equipment was seized and authorities have extracted significant intelligence, officials said.
The Dutch authorities have released images of the men arriving at the airport on Amsterdam along with images of their passports.
Dutch officials said the individuals entered the Netherlands on passports with close sequential numbers, and carrying $20,000 USD and 20,000 Euros in cash.
The Dutch defence minister said that it had expelled four Russian intelligence officers after the hacking attack.
Mobiles, cash and train tickets: What was seized Dutch authorities say they recovered multiple mobile phones from the group - one of which the men attempted to destroy as they were detained.
All of them had been first activated on April 9 at the network mast nearest to the special services centre in Moscow.
They had train tickets to go to Basel on April 17. Dutch officials said the team were planning to travel to the OPCW laboratory in Spiez in Switzerland.
The Wi-Fi equipment in the car was intended to intercept people's logins.
When the equipment was turned on, a threat warning was triggered and the four were arrested.
One of the laptops recovered had connected to WiFi at a hotel in Laussane in September 2016 during a world anti-doping conference. Another had been linked to hacking in Malaysia and Brazil related to the MH17 investigation.
Secret services chief reveals details of operation During a press conference, the director of the Dutch secret services gave an unprecedented level of detail about the operation.
Onno Eichelsheim, director of the MIVD Dutch military intelligence and security service said that four Russians with almost identical passport numbers came to the Netherlands from April 11-13 and were closely followed.
"It was evident that this was a close axis hack operation," he said. "The focus was the OPCW. They hired a Citroen CS with registration number PF934R.
"On Friday 13, this was parked in the car park of the Marriott hotel close to the OPCW with its back towards the building.
"At 4.30pm, this apparent hack was active, and then we had a direct digital threat to the operation of the OPCW. Then we decided to disrupt this operation and then put these people out of the land to protect the OPCW."
Mr Eichelsheim added: "Why were they not on holiday? They had a lot of mobile telephones, they took their rubbish with them and [one] had $20,000 and 20,000 euros, which you wouldn't have on holiday.
"The telephones they left in the Netherlands were activated in Moscow near the special services centre. They were planning to go from the Netherlands to Switzerland and had bought train tickets for 17th April.
"'The threat [of hacking] isn't just abroad - it's also in The Hague and in the Netherlands."
The Netherlands' General Onno Eichelsheim told the press conference: "It's not always clear why they did the operation towards the OPCW because that does not show on their equipment.
"What I know is they were trying to target the OPCW networks in the period that they were investigating on the Skripals and on the Douma case."
British ambassador: 'This was not an isolated act' At the press conference in The Hague, British ambassador to the Netherlands Peter Wilson said: "The disruption of this attempted attack on the OPCW was down to the expertise and the professionalism of the Dutch security services in partnership with the United Kingdom.
"The OPCW is a respected international organisation which is working to rid the world of chemical weapons.
"Hostile action against it demonstrates complete disregard for this vital mission."
Mr Wilson said: "This disruption happened in April. Around that time the OPCW was working to independently verify the United Kingdom's analysis of the chemical weapons used in the poisoning of the Skripals in Salisbury."
Mr Wilson said: "The OPCW was also due to conduct analysis of the chemical weapons attack in Douma on April 7.
"This was not an isolated act. The unit involved, known in the Russian military as unit 26165, has sent officers around the world to conduct brazen close access cyber operations."
"Our action today reinforces the clear message from the international community: we will uphold the rules-based international system and defend international institutions from those that seek to do them harm."
Mr Wilson added: "Another of the cyber actors identified as the GRU was Sandworm, which was active in the wake of the Salisbury attacks.
"I can reveal that they were behind the following attempted intrusions: in March, straight after the Salisbury attack, the GRU attempted to compromise UK Foreign and Commonwealth Office computer systems via a spear fishing attack.
"In April GRU intrusions targeted both the computers of the UK Defence and Science Technology Laboratory as well as the Organisation for the Prohibition of Chemical Weapons.
"And in May, GRU hackers sent spear fishing emails which impersonated Swiss federal authorities to target OPCW employees directly and thus OPCW computer systems."
Jeremy Hunt warns Russia faces more sanctions Speaking about the Russian military involvement in hacking the OPCW, Mr Hunt said: "The first thing we are doing is to expose it and the words matter because there are countries all over the world that are hearing both sides of the story - they're hearing what the Russians say as well.
"This is the evidence that what we are getting from Russia is fake news, and here is the hard evidence of Russian military activity.
"But of course it will go beyond that, and that is why we will be discussing with our allies what further sanctions should be imposed.
"We will also be discussing how we need, working with our friends and allies, to counter this pattern of cyber attacks, which is the new type of attack that the whole world is having to deal with."
He added: "The Russian government needs to know that if they flout international law in this way, there will be consequences, they will be exposed, and people will see the Russian government for what they are; which is an organisation that is trying to fester instability throughout the world and that is totally unacceptable."
In a joint statement Theresa May and Dutch prime minister Mark Rutte said: "We have, with the operations exposed today, further shone a light on the unacceptable cyber activities of the Russian military intelligence service, the GRU.
"This attempt to access the secure systems of an international organisation working to rid the world of chemical weapons, demonstrates the GRU's disregard for the global values and rules that keep us safe.
GRU blamed for wave of cyber attacks across globe Details of the OPCW attack was revealed on Thursday after the UK Government accused the GRU of a wave of other cyber attacks across the globe.
Foreign Secretary Jeremy Hunt said the GRU was waging a campaign of "indiscriminate and reckless" cyber strikes targeting political institutions, businesses, media and sport.
The National Cyber Security Centre (NCSC) said that a number of hackers known to have launched attacks have now been linked to the GRU.
At a glance | GRU Short for: Glavnoye Razvedyvatel'noye Upravleniye (“Main Intelligence Directorate”). The group was renamed to G.U. in 2010, but the old name remains in circulation Purpose: Russian foreign military intelligence Headquarters: Moscow
The GRU is reputedly Russia’s largest intelligence agency by a considerable margin. It also controls a significant proportion of the country’s Spetsnaz elite special forces.
Falling under military command, the GRU is independent of (and has a fierce rivalry with) Russia’s civilian intelligence agencies such as the FSB, SVR and their predecessors such as the KGB.
As Fancy Bear/APT 28, the group’s operatives have carried out cyber attacks against a number of high-profile targets, including Nato and the election campaigns of Hillary Clinton and of Emmanuel Macron.
Read more
The revelations will further strain relations with Russia after Britain blamed Moscow for the nerve agent attack in Salisbury last March which left one person dead.
The NCSC associated four new attacks with the GRU, on top of previous strikes believed to have been conducted by Russian intelligence.
Among targets of the GRU attacks were the World Anti-Doping Agency (Wada), transport systems in Ukraine and democratic elections, such as the 2016 US presidential race, according to the NCSC. ... MORE + Images
The real identity of the second Russian agent sent to kill Sergei Skripal can be disclosed today.
The assassin - who travelled under the false name of Alexander Petrov - is actually Alexander Mishkin, a 39-year-old spy with Russian military intelligence, The Telegraph can reveal.
The unmasking of Petrov as Mishkin heaps further embarrassment on Vladimir Putin and his regime as it reels from the failed assassination attempt on Colonel Skripal in March and the bungled attempt to discredit the authorities investigating the use of nerve agent in Salisbury.
Mishkin not only used the same first name for his fake identity but also kept the same date of birth - July 13th 1979 - in his false passport issued by the Russian state.
Mishkin is understood to be the more junior officer in the two-man team sent by the GRU to kill Col Skripal by smearing Novichok nerve agent on his front door.
The other member of the team, who used the name Ruslan Boshirov, was unmasked less than a fortnight ago as Colonel Anatoliy Chepiga, a highly decorated GRU officer who received the hero of the Russian federation award by the decree of Mr Putin.
Col Skripal, 67, and his daughter Yulia, 33, survived the attack but Dawn Sturgess, a local resident, died after handling a fake perfume bottle which contained the weapons grade nerve agent. The two men had discarded the glass bottle in Salisbury prior to fleeing the country.
Mishkin, under his alias Petrov, has been charged in absentia with a series of offences including conspiracy to murder and the use and possession of Novichok nerve agent contrary to the Chemical Weapons Act.
Mishkin and Chepiga had travelled to London on March 2 to carry out the assassination two days later of Col Skripal, a former GRU agent who had been caught selling secrets to MI6. Col Skripal was jailed in Russia but sent to the UK in a spy swap in 2010.
Flight ticket details obtained by the Telegraph show Mishkin and Chepiga - under the aliases Petrov and Boshirov - criss-crossing Europe in the two years before the nerve agent attack.
Under their false names, the pair appeared on Kremlin-backed RT television station to deny being members of the GRU.
Instead they claimed to work in the fitness industry, saying they had simply travelled to Salisbury to visit landmarks. Their story was widely ridiculed, not least when they claimed the snow and slush forced them to return to London on March 3 after just an hour in Salisbury and go back the next day in better weather.
British authorities have released detailed CCTV images and a timeline showing the men in Salisbury on a reconnaissance trip on March 3 and then returning a day later to carry out the attack. Traces of Novichok were found in the men’s hotel room in east London.
Four other members of the GRU, who had travelled to the Hague to hack into the chemical weapons watchdog have also been unmasked by Dutch and British intelligence agencies in a joint operation in April.
The discovery of Petrov’s true identity as Mishkin further compromises GRU operations.
In further developments, the Russian defence ministry has allegedly been discussing a purge of GRU officers whose “utter incompetence” led to its operations being embarrassingly exposed in Salisbury and the Netherlands, the Dossier Centre funded by exiled oligarch Mikhail Khodorkovsky reported on Monday, quoting an unnamed source.
An internal investigation of the GRU's special operations abroad found that agents and their commanding officers failed to follow basic spying etiquette, discussing missions openly over Moscow-registered phones, it said.
The GRU's attempted to hack into the Organisation for the Prohibition of Chemical Weapons was blown after Konstantin Bakhtin, second secretary of the Russian embassy to The Netherlands, discussed details with GRU headquarters over a phone line being tapped by Dutch intelligence, the report claimed.
Bakhtin was registered to the same Moscow dormitory as Salisbury suspect Chepiga and is believed to have also studied at the GRU conservatory there.
Market Data 
Markets 
AI
