Russia Accused in the Hacking of Its Pursuers

WASHINGTON — Western allies accused Russian intelligence officers on Thursday of launching cyberattacks against organizations around the globe that challenged Russian wrongdoing, exposed Kremlin disinformation campaigns or took on President Vladimir V. Putin.

Officers operating near Red Square sought to hack the British Foreign Ministry, anti-doping agencies in Colorado Springs, Colorado and Canada, as well as investigators examining the shoot-down of a Malaysian passenger jet over Ukraine in 2014, the officials said.

Other Russian officers armed with mobile computer equipment traveled to the Netherlands in April to tap into the headquarters of the world’s chemical weapons watchdog, which was investigating the poisoning in Britain a month earlier of a Russian former spy and his daughter. Those officers were caught and expelled.

Seeking to deter Moscow, officials in Washington, London and Amsterdam released extraordinarily detailed accounts of Russian misdeeds on Thursday in intelligence reports and a Justice Department indictment charging seven Russian officers. They named the officers, published photographs of them and their equipment, and released maps charting their travel and their targets. One officer caught in the Netherlands, they said, was carrying a receipt for a taxi ride to the Moscow airport from the street outside the headquarters of the military intelligence agency formerly known as the GRU.

The complaints echoed the case that British authorities recently made against Russia in the poisoning of the former spy, Sergei V. Skripal, by publishing photographs of two Russian officers and other evidence. U.S. officials also expanded the constellation of cyberattacks they blamed on Russia, which they had previously limited to election interference.

The accusations also demonstrated that even while its hacking of the Democratic National Committee was underway, the GRU was conducting similar operations around the world.

“The defendants believed that they could use their perceived anonymity to act with impunity, in their own countries and on territories of other sovereign nations, to undermine international institutions and to distract from their government’s own wrongdoing,” said John C. Demers, the assistant attorney general for national security. “They were wrong.” As with previous Justice Department criminal complaints against hackers from Russia, China, Iran and North Korea, the indictments were unlikely to lead to arrests. But taken together, the accusations formed the West’s latest public shaming of the Kremlin, over malfeasance that President Donald Trump has shown reluctance to condemn. In the case of election interference in the United States, he has cast doubt that it ever happened.

Instead, Vice President Mike Pence denounced China on a number of fronts on Thursday, saying that its influence campaigns were more worrisome than Russia’s. He made no reference to the Russian indictments.

The Kremlin dismissed the accusations. A spokesman for the Foreign Ministry called them the result of a “rich imagination” and “some kind of diabolical perfume cocktail,” Russian state media reported.

The combined effort by Western officials is based on a theory that Putin and his aides can be embarrassed into paring back their operations. But past cases cast doubt on that theory. U.S. intelligence agencies accused the Russians, and ultimately Putin, of the Democratic National Committee hack in 2016; Thursday’s allegations documented misconduct this year, by the same agency and, in some cases, the same operatives.

Of the seven Russian officers charged by the Justice Department, three were also indicted in July by the special counsel, Robert S. Mueller III, for interfering in the 2016 election. The new Justice Department case did not emerge from the Mueller investigation, Demers said, but added, “They evince the same methods of computer intrusion and the same overarching Russian strategic goal: to pursue its interests through illegal influence and disinformation operations aimed at muddying or altering perceptions of the truth.”

The indictment primarily focused on allegations that the Russian officers hacked into anti-doping agencies and sporting federations, including the global soccer organization FIFA, and stole private medical information about roughly 250 athletes from 30 countries. The hackers released the data “selectively, and sometimes misleadingly,” in retaliation for the revelations of a state-sponsored Russian doping program that led to a ban on the Russian team from the 2018 Winter Olympics, prosecutors said.

The Dutch intelligence officials also contributed evidence to the hacks of the sports groups. The authorities who foiled the Russian operation in the Netherlands seized a laptop that had a picture of one of the GRU officers with a Russian athlete during the 2016 Summer Olympics in Brazil. It also contained evidence that a Russian spy stayed in the same Lausanne, Switzerland, hotel as a Canadian anti-doping official during a meeting of the World Anti-Doping Agency as it investigated allegations of Russian doping. After the Canadian official logged on to the hotel’s Wi-Fi network, the Russian and some of his colleagues used it to illegally access his laptop, according to the Justice Department indictment. The Canadian later noticed a strange message in his sent mail riddled with typos and a fake signature. Investigators found a malicious link embedded in the email; Russian intelligence had apparently used it to stealthily access the Canadian anti-doping agency’s network for weeks in the fall of 2016.

Beginning that September, officers from GRU Unit 74455 released information stolen from the World Anti-Doping Agency. Claiming to be “hacktivists,” court papers show they went by the name Fancy Bears’ Hack Team, an ironic reference to the name that investigators have given to that GRU unit and another.

As they did that summer and fall with stolen Democratic emails, the Russians played off the Western news media’s hunger for scoops. Through this July, the indictment alleged, the Fancy Bears’ Hack Team communicated with about 70 reporters, doling out stories on an exclusive basis.

In one case, the Justice Department alleged, an unidentified reporter suggested ways for the spies to sift through their stolen data for nuggets of news. When articles resulting from their documents were published, the Russian intelligence officers distributed them “in an apparent attempt to amplify the exposure and effect of their message,” the indictment said.

“All of this was done to undermine those organizations’ efforts to ensure the integrity of the Olympic and other games,” Demers said.

One officer, Ivan Sergeyevich Yermakov, was also charged with creating a fake website and sending spear-phishing emails to employees of Westinghouse Electric Co., based near Pittsburgh, who worked on nuclear reactor technology. Westinghouse has supplied Ukraine with nuclear fuel, but Demers declined to detail whether the larger aim of the Russian operation was to steal nuclear technology or interfere with fuel deliveries to Ukraine, which Putin has sought to destabilize.

One of the most detailed and well-documented of the charges involved the attack on the Organization for the Prohibition of Chemical Weapons. The group was investigating the poisoning in March of the Skripals. British officials have accused Russia of using a nerve agent to try to kill Sergei Skripal, whom Putin called on Wednesday “simply a scumbag” and “a traitor to the motherland.”

The attack on the OPCW, as the group is known, unfolded over three days before it was thwarted.

Dutch officials identified four Russian military intelligence operatives — two of whom specialize in cyberattacks — soon after they arrived in Amsterdam on April 10 carrying diplomatic passports, said Maj. Gen. Onno Eichelsheim, the director of the Dutch Military Intelligence and Security Service. They were also behind an attempt to hack a Swiss laboratory that tested a nerve agent for the OPCW in the Skripal poisoning and had also done testing in 2013 of the agent used in a chemical attack in Syria, a Russian ally, Dutch officials said. British intelligence officials alerted their Dutch counterparts that the Russian officers intended to conduct reconnaissance for a hacking operation, Eichelsheim said. A day after their arrival, the spies rented a Citroën hatchback to travel to and around The Hague. One of them, Alexey Minin, took several pictures around OPCW headquarters, according to Dutch officials.

On their third day in the Netherlands, the Russian officers parked the Citroën in the lot of a Marriott Hotel next door, its trunk pointed toward the headquarters of the arms control organization. Inside the car was a sophisticated device for penetrating a Wi-Fi network to gather the login credentials of its users, its antenna hidden under a jacket.

After about 30 minutes, the Dutch authorities moved in on the Citroën, catching the Russians in the act and, Eichelsheim said, preventing “severe damage” to the OPCW.

The Dutch recovered the taxi receipt and the laptop, whose internet search history included evidence that train tickets were purchased for an April 17 trip from the Netherlands to Bern, Switzerland, about 25 miles from the Swiss facility, said to be their next target.

The Dutch also seized a mobile phone that one of the Russian agents tried to destroy and discovered that it had been used four days earlier at GRU headquarters.

They also found evidence that a Russian officer had been in a Kuala Lumpur hotel near where Malaysian government officials were investigating the 2014 crash of the passenger jet over Ukraine that killed nearly 300 people. In May, international investigators said Russia had supplied the missile that downed the plane.

And British officials identified a group of hackers known as Sandworm as the culprits in Russia’s attempt to hack the British Foreign and Commonwealth Office and said that the same Russian officers were behind attempted cyberattacks in April on the British Defense and Science Technology Laboratory.