Russia hack: Taxi receipts to lager cans – the trail of evidence left by spies who tried to attack the chemical weapons watchdog

On 10 April, a seemingly unremarkable group of Russian men arrived at Amsterdam’s Schiphol airport on diplomatic passports.

They were greeted by an official from the Russian embassy in the Netherlands, who helped them hire a car to be used in their stay.

Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Alexey Minin then travelled more than 40 miles to The Hague Marriott Hotel.

It was not chosen for its four-star rating, but for the view – over the Organisation for the Prohibition of Chemical Weapons (OPCW) international headquarters.

The four “diplomats” were in reality agents from the GRU military intelligence agency, on a mission to hack into the chemical weapons watchdog’s computer systems.

Weeks after the attack on Sergei Skripal the OPCW’s scientists were testing samples taken from Salisbury that would be verified as Russian-made novichok within days.

The GRU had to act quickly, and having already tried and failed remote cyberattacks on the OPCW, UK Foreign Office and laboratory at Porton Down, a “close-access” attempt was the only option left.

The four spies started preparing for their mission, equipped with multiple mobile phones, cameras, specialist hacking equipment and the equivalent of almost £35,000 in cash.

On 11 and 12 April, Dutch investigators said they carried out reconnaissance of the OPCW building and its surroundings.

They photographed the headquarters from numerous angles, including from inside the Marriott hotel.

At some point, the four agents went shopping for a large battery in The Hague, which also houses Dutch government institutions, international embassies, the International Court of Justice and International Criminal Court.

By 13 April, they were ready to strike. Their hired Citroen C3 had its boot fitted out with a covered wifi antenna, computer, transformer and specialist equipment set up for hacking internet connections.

All that was left to do was to park it within range of the OPCW headquarters and get to work.

But Dutch security services, with help from Britain and other allies, had detected the plot and sprang into action before it could succeed.

As police officers moved in, the Russians attempted to destroy their equipment but not quickly enough, leaving an unprecedented cache of intelligence.

The group had attempted to be careful, using old-fashioned Samsung “burner phones” alongside more sophisticated smartphones.

Their operational security training even extended to the rubbish bin in their hotel rooms, which they emptied of cheap lager cans and fruit juice bottles that were taken on the mission.

But it all came to nothing as they were arrested and escorted to the Dutch border by police, who sent them back to Moscow.

Intelligence services were left to analyse a treasure trove of information left on the men’s phones, computers and other devices that revealed their past movements and future plans.

Despite their diplomatic cover, the connection to the GRU was not hard to find.

One of the phones recovered, a Sony Xperia, had been activated through a cell tower next to the GRU’s headquarters in Moscow on 9 April.

The following day, Morenets ordered a taxi from the street outside the barracks directly to Moscow Sheremetyevo Airport, where he and his three fellow agents would fly onwards to Amsterdam. He kept the receipt.

Minin’s camera allowed investigators to retrace their steps as they carried out hostile reconnaissance on the OPCW.

And Serebriakov’s laptop showed he had been researching the Speiz Laboratory in Switzerland, which had been tasked with testing Salisbury samples.

Dutch investigators identified the laboratory as the group’s next target after discovering they had purchased train tickets onwards to Bern and printed out maps of Russian diplomatic facilities in the area.

They would never reach it, and days after the attempted attack on the OPCW it publicly verified the use of novichok in Salisbury.

The decision to release the identities of the GRU operatives involved has sparked another round of investigations by international intelligence services and citizen groups.

Online investigators Bellingcat and The Insider website said their checks suggested that Aleksei Morenets, Evgenii Serebriakov, Oleg Sotnikov and Alexey Minin were real identities rather than aliases.

They accessed database records for Morenets giving his registered address as Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the military academy of the Ministry of Defence is situated. This academy is known as the GRU Conservatory.

On a separate Russian car ownership database, Morenets is listed as the owner of a Lada car registered to Komsomolsky Prospekt 20 – the GRU barracks where the four spies caught their taxi on 10 April.

It is also the home of GRU unit 26165, identified by Dutch, British and American officials as its cyberwarfare department.

A search for vehicles registered to the same address turned up 305 names alongside their passport details and, in some cases, telephone numbers.

As Bellingcat noted: “If these 305 individuals are indeed officers or otherwise affiliated with the GRU’s military unit 26165, their listing in a publicly accessible database may constitute one of the largest mass breaches of personal data of an intelligence service in recent history.”