Hours earlier, the Dutch government outlined an operation — almost comedic in its haplessness — in which Dutch counterintelligence forces caught the Russians red-handed as they sought to hack a chemical-weapons agency in The Hague.
The British government accused the GRU of “reckless and indiscriminate cyberattacks,’’ blaming it for such operations as the hacking of Olympic athletes’ medical records, disruptions on the Kiev subway system and the 2016 theft of emails from the Democratic National Committee.
Taken together, the indictments and condemnations represented a coordinated effort to further expose Moscow’s ongoing, widespread campaign to discredit democracy and international institutions through disinformation and its attacks on the rule of law. Russia’s aim, officials said, is to muddy or alter perceptions of the truth, even if its efforts sometimes fail spectacularly.
“Nations like Russia, and others that engage in malicious and norm-shattering cyber and influence activities, should understand the continuing and steadfast resolve of the United States and its allies to prevent, disrupt and deter such unacceptable conduct,” said John Demers, assistant attorney general for national security.
A spokeswoman for Russia’s foreign ministry, Maria Zakharova, dismissed Britain’s allegations as a delusional and “diabolical perfume blend.” The ministry had no immediate comment on the U.S. indictment.
The flurry of activity on Thursday follows separate moves earlier this year stemming from special counsel Robert S. Mueller III’s probe of Russian interference in the 2016 U.S. election. In July, he obtained an indictment of 12 GRU members for hacking and leaking emails of Democratic officials and organizations. In February, officials announced an indictment of more than a dozen Russian “trolls” who spread disinformation online and of several operatives who traveled to the United States and posed as Americans to whip up protests and stoke political divisions.
In the summer of 2016, the GRU hacked drug-test results from the World Anti-Doping Agency and leaked onto the Internet confidential information about U.S. Olympic athletes, including tennis stars Serena and Venus Williams, and gold medal gymnast Simone Biles. WADA that year called out the Russian military agency for the operation.
Now, the U.S. government is seeking to punish the cyberspies.
“We at the Department of Justice are not satisfied with merely exposing the conduct,” said Scott Brady, U.S. attorney for the Western District of Pennsylvania, where a grand jury indicted the Russians. “We seek to arrest those who broke the law. We want to bring them to Pittsburgh. We want them to stand trial. And we want to put them in jail.”
Dutch security officials said they expelled four of the Russians from the Netherlands for attempting in April to hack the Organization for the Prohibition of Chemical Weapons (OPCW), an international watchdog organization based in The Hague. All seven GRU officers are now believed to be in Russia, U.S. officials said.
Allegations in the indictment show “the defendants believed that they could use their perceived anonymity to act with impunity, in their own countries and on territories of other sovereign nations, to undermine international institutions to distract from their government’s own wrongdoing,” Demers said.
The GRU campaign ran from December 2014 until at least May 2018, targeting U.S. individuals, corporations and international organizations based on their strategic interest to the Russian government, officials said.
In July 2016, WADA released a report describing Russia’s systematic subversion of the drug-testing process before, during and after the 2014 Winter Olympics, held in the Russian resort city of Sochi. As a result, 111 Russian athletes were banned from the 2016 Summer Games in Rio de Janeiro. The International Paralympic Committee imposed a blanket ban on Russian athletes for its 2016 games.
Days after WADA released its report, the indictment alleges, the GRU officers prepared to hack the networks of WADA and the United States Anti-Doping Agency, among others, from Russia. Apparently unsuccessful in the effort from afar, two of the spies flew to Rio to hack the WiFi networks used by anti-doping officials in their hotels and elsewhere, officials said. They succeeded in stealing the log-in and password for one U.S. Anti-Doping Agency official’s email account, obtaining summaries of test results and prescribed medications, they said.
In September, they flew to Lausanne, Switzerland, where WADA was hosting a conference, and managed to steal the credentials of an official with the Canadian Centre for Ethics in Sport by hacking the hotel’s WiFi. Other GRU spies used the credentials to compromise the anti-doping agency’s networks in Canada.
Using social media accounts and other computer sites operated by GRU Unit 74455 in Russia — one of two units implicated in July with interfering in the 2016 U.S. election — the cyberspies posed as a hacktivist group calling itself the “Fancy Bears’ Hack Team.”
They leaked medical information and emails stolen from officials with 40 anti-doping and sporting organizations. In some instances, WADA documents were altered, officials said. In all, the GRU spies leaked the private data of 250 athletes from almost 30 countries, officials said.
As part of its disinformation effort, the operatives in some cases paired the leaks with posts and comments that parroted themes used by the Russian government to push back against the anti-doping agencies’ findings, officials said. Between 2016 and 2018, they also exchanged emails and private messages with some 186 reporters “to amplify the exposure and effect of their message,” the Justice Department said.
“I also hope that responsible members of the international news media will cast a suspecting eye on future ‘hack and leak’ operations which seek in part to manipulate stories in furtherance of Russian state interests,” Demers said.
Five defendants belong to GRU Unit 26165, the other team implicated in Mueller’s July indictment. They are Aleksei Morenets, 41; Evgenii Serebriakov, 37; Ivan Yermakov, 32; Artem Malyshev, 30; Dmitriy Badin, 27. Also charged Thursday were Oleg Sotnikov, 46, and Alexey Minin, 46. They were accused of conspiracy to commit computer fraud and abuse, wire fraud and money laundering.
In April, Morenets, Serebriakov, Sotnikov and Minin traveled on diplomatic passports to The Hague and sought through WiFi connections to target OPCW computers. But Dutch counterintelligence agents were watching, and the GRU plot unraveled when authorities caught the Russians in a rental car parked just outside the agency’s semicircular building. The spies were carrying taxi receipts for the trip from GRU’s barracks to a Moscow airport. And one of their phones had been activated on a transmission tower near the barracks.
A laptop confiscated by Dutch authorities contained web searches for a Swiss lab that helps the OPCW in its analyses, and the Russian spies were carrying Google Maps printouts of Russian diplomatic facilities in Geneva and Bern. One man had hidden an antenna in the car’s trunk that was pointed at the OPCW to try to intercept log-in information to the organization’s wireless Internet network, officials said.
The Russians were carrying diplomatic passports, which may be why the Dutch authorities returned them to Moscow rather than arresting them. The Dutch released surveillance images of the men being accompanied by a Russian embassy official after landing at Amsterdam’s Schiphol airport.
The four had train tickets from the Netherlands to Switzerland, officials said, where they intended to target the Spiez Swiss Chemical Laboratory, which was analyzing military nerve agents, including the Novichok chemical agent that Britain said was used to poison former GRU officer Sergei Skripal in Salisbury, England, in March.
OPCW independently confirmed earlier this year that the Soviet-era nerve agent was used in the Skripal attack. The Russian mission to the OPCW has declined to comment on the Dutch findings, Interfax reported. The Russian ambassador to the Netherlands was summoned Thursday to the foreign ministry, officials said.
British diplomats on Thursday said Russian military intelligence was behind six cyberattacks between mid-2015 and March 2018. At least five were newly attributed on Thursday. Although some were high-profile and obviously political, others ranged across industries.
Britain accused the GRU of hacking email accounts at a “small UK-based TV station,” stealing their contents. It blamed Russia for the WADA leak. It said Russia was behind a foiled attempt in March to compromise the servers of Britain’s Foreign Office. The British also blamed the GRU for the October 2017 BadRabbit ransomware attack that rendered computer systems inoperable in Ukraine and at the Russian central bank.
U.S. Defense Secretary Jim Mattis told reporters in Brussels that Washington stood “shoulder-to-shoulder” with NATO allies who said they had been subject to Russian cyberattacks and pledged U.S. cyberoffense capabilities to other allies if called upon.
But he said that NATO would not necessarily respond in kind.
Governments have been cautious about attributing similar attacks, in part because their origin can be hard to trace and because they do not want to reveal how they have tracked or penetrated the groups. But Britain and its allies have pushed this year for significantly more transparency, particularly after the Skripal attack in March.
Nakashima reported from Washington. Birnbaum reported from Brussels. Booth reported from London. Anton Troianovski and Amie Ferris-Rotman in Moscow contributed to this report.