For years, the Kremlin’s increasingly aggressive hackers have reached across the globe to hit targets with everything from simple phishing schemes to worms built from leaked NSA zero day vulnerabilities. Now, law enforcement agencies in the US and Europe have detailed another, far more hands-on tactic: Snooping on Wi-Fi from a vehicle parked a few feet away from a target office—or even from a laptop inside their hotel.
On Thursday, the US Department of Justice charged seven hackers working for the Russian military agency GRU with carrying out a vast intrusion campaign against a wide range of organizations. The targets include anti-doping agencies in Colorado, Brazil, Canada, Monaco and Switzerland, part of a retaliatory leaking campaign after Russia was accused of doping ahead of the 2016 and 2018 Olympics; the Westinghouse Electric Company’s nuclear power operations, which supplies nuclear fuel to Ukraine; and the Spiez chemical testing laboratory in Switzerland and the Organization for the Prohibition of Chemical Weapons in the Netherlands, likely due to their investigations into the Novichok gas attack on a Russian intelligence defector in the UK earlier this year.
But some of the most surprising elements of those intrusion operations are the ones that got the Russian hackers caught red-handed: Parking vehicles outside of target buildings, and infiltrating Wi-Fi networks to hack victims.
“When the conspirators’ remote hacking efforts failed to capture log-in credentials, or if those accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, teams of GRU intelligence officers traveled to locations around the world where targets were physically located,” the Justice Department’s indictment reads. “Using specialized equipment, and with the remote support of conspirators in Russia, these on-site teams hacked into Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi networks.”
The new details on those in-person hacking operations illustrate just how brash the GRU’s hackers have become, says John Hultquist, the director of research at security intelligence firm FireEye, who has closely tracked GRU operations for years. “If they’re willing to play like this, they are extremely aggressive,” Hultquist says. “It’s risky and brazen that they’re doing this physically. Obviously your chance of getting caught and exposed in person are higher, but it gives them a whole new avenue to get into networks that might have otherwise been a challenge.”
In multiple cases, from Rio de Janeiro to Lausanne to Monaco, the Dutch intelligence agency MIVD and US Department of Justice describe how the Russian agents—usually two men named Evgenii Mikhaylovich Serebriakov and Aleksei Sergeyevich Morenets—worked in vehicles outside of hotels or offices, or in the buildings themselves, to compromise Wi-Fi networks and hack their targets in close proximity. In some cases, they’d use that access to steal victims’ credentials. In others they’d attempt to plant espionage-oriented malware.
Finally, in one incident in the Hague last April, the indictment details how Dutch intelligence agents discovered four men—including Serebriakov, Morenet, and two others—in the middle of spying on the Wi-Fi network of the Organization for the Prohibition of Chemical Weapons. The Russian agents had set up a rental car with a large antenna in its trunk, hidden under a black jacket, facing the OPCW building and connected to a laptop and an external power supply. When the Russian team activated that equipment, Dutch agents somehow detected and disrupted the operation. They declined to say exactly how, and the MIVD declined WIRED’s request for comment.
The four Russians were deported back to Moscow. But the equipment and evidence the Dutch agents seized told a detailed story of their work. Despite the Russians’ attempt to destroy at least one phone after being outed, the Dutch investigators found signs that their laptops and phones had connected to Wi-Fi networks at several of their earlier hacking destinations. One even contained a photo of Serebriakov at the Rio Olympics.
“This is not spy versus spy. These were not passive intelligence gathering operations.”
Scott Brady, DoJ
Serebriakov’s backpack, in particular, included “additional technical equipment that the team could also use to surreptitiously intercept Wi-Fi signals and traffic,” the indictment reads. Though it doesn’t spell out how that equipment could penetrate password-protected Wifi networks, it does mention that Serebriakov carried a Wi-Fi Pineapple. Those book-sized devices are designed to spoof Wi-Fi networks so that victims connect to them rather than the intended, legitimate one, acting as a “man-in-the-middle” capable of spying on or altering their subsequent internet traffic.
The Dutch investigators also found additional clues, including a receipt for a taxi from a GRU facility to the Moscow airport, $20,000 in cash and another 20,000 Euros, as well as printouts of information that seemed to focus on the group’s next target, the Spiez chemical testing facility in Switzerland. The printouts included maps of Russian diplomatic facilities in Bern and Geneva, from which the traveling GRU agents might might work, as well train tickets for Bern scheduled three days later.
Crossing the Line
Given that the US has now indicted those Russian hackers, exactly why the Dutch government deported them rather than extraditing them to the US or keeping them in the Netherlands to face charges remains a puzzling detail of the case, which the Dutch government declined to explain to WIRED. In a press conference Thursday, US Attorney Scott Brady nonetheless maintained that the “name and shame” tactic of indicting the hackers sends a signal to the Russian government that it will face consequences for its hyper-aggressive hacking. “There is deterrent value even if we can’t put our hands on the defendants at this time,” Brady said, noting that if they travel outside of Russia they may still be vulnerable to arrest and extradition.
Criminal charges aren’t the usual response to spying operations, given that the US usually seeks to avoid prosecuting foreign hackers for activities its own agencies carry out, too. But Brady emphasized that when the hackers leak the medical information of 250 athletes as part of their campaign to discredit global anti-doping agencies, they crossed a line.
“They cheated, they got caught, they were banned from the Olympics, they retaliated, and in retaliating, they broke the law, so they are criminals,” Brady said. “This is not spy versus spy. These were not passive intelligence gathering operations. This is a criminal conspiracy which caused real harm to real victims.”
Regardless of whether the criminal charges now levied against those hackers send the intended message to the Kremlin, they at least serve as a warning to the wary: Keep an eye on which Wi-Fi network you’re connect to at your hotel—and also the rental car full of military-looking men sitting parked outside of it.