Taxi receipt, records appear to link alleged hackers to GRU
MOSCOW (AP) — April 12 was supposed to be another day on the job for Alexei Morenets, the balding 41-year-old alleged to be an on-site hacking specialist for Russian military intelligence.
Morenets’ work for the agency, often abbreviated as GRU, was said to involve using specialized equipment to break into Wi-Fi networks and leapfrog onto victims’ computers.
An FBI indictment made public Thursday alleged that he had already worked in Brazil, where he traveled twice to Rio de Janeiro to try to break into networks used by anti-doping officials before and during the 2016 Olympics. According to the indictment, he later went to Lausanne, Switzerland, checking into a hotel near where a senior anti-doping official was staying and helping others break into the complimentary Wi-Fi.
But on that spring day, when Morenets rolled into a Marriott Hotel parking lot in The Hague, things went horribly wrong for him and three Russian colleagues. He and Alexey Minin, Oleg Sotnikov and Yevgeny Serebryakov were ambushed and detained by Dutch counterintelligence officers as they tried to break into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons, a global watchdog agency.
The men were expelled from the Netherlands instead of arrested, because they were traveling on diplomatic passports.
The episode was recounted in unusually explicit detail in the U.S. indictment and at a dramatic news conference in the Netherlands on Thursday.
The Dutch released photos of the men’s sequentially numbered diplomatic passports, electronic snooping equipment in the trunk of their car and displays of euros and $100 bills. But among the most damning pieces of evidence was a taxi receipt allegedly seized from Morenets and showing an April 10 trip from GRU headquarters in Moscow to the capital’s international airport.
News organizations, including The Associated Press, sought to corroborate the allegations, a replay of the open-source scavenger hunt that followed the outing of two alleged GRU agents after the poisoning of former GRU officer Sergei Skripal and his daughter in England, or the U.S. indictment of 12 GRU officers in July in the hacking of computers in order to interfere with the 2016 presidential election.
Within hours of Morenets’ name becoming public, the Russian news website RBC reached the taxi company listed on the receipt and confirmed its authenticity.
A man whose full name and date of birth match Morenets’ was shown selling his car in 2004 and listing the Defense Ministry’s Military University in Moscow as his address, according to a car registration database examined by AP.
Russian media also corroborated Morenets’ military connection. Russian news website The Project spoke to five of his former classmates, including three graduates of the Mozhaisky Military Space Academy’s IT faculty, who identified Morenets in the photo released by the Dutch; and two other students said his personal details match those of a man who was in their class that graduated in 1999.
Attempts by the AP to reach the classmates via social media were not immediately successful.
Serebryakov, 37, listed by the FBI as one of the GRU’s other on-site hacking specialists, appears to enjoy a low key lifestyle combining amateur sports and high-level cryptography.
He played in Russia’s Amateur Soccer League between 2011 and 2012, according to the group’s website. Serebryakov put “free agent” as his affiliation on the league’s website and seems to have kept changing teams but he always played for those based in northwestern Moscow. That’s near the Defense Ministry think tank where he was working at the time and wrote a 16-page research paper on cryptography published in 2014 and still available online.
The Defense Ministry describes the think tank, the Center for Special Research, as being involved with research in “communications security and information systems.”
In his research paper, Serebryakov used an email address that referenced a “Casey Ryback,” a character played by Steven Seagal in the “Under Siege” action films.
Serebryakov and Morenets also appear to have similar travel documents. Photos from the Dutch Defense Ministry show that Serebryakov’s passport is just one digit away from the one held by Morenets.
Minin, a 40-year-old with a short, black beard, was alleged to have rented the team’s modest sedan in Holland. Records show he performed courier services for the state-owned firm that administers Russia’s state graduation exams. A spreadsheet from June shows Minin delivering exam papers to a high school in southeastern Moscow and lists him as an employee of a state-owned “special communications” department.
The car registration database shows that Minin listed 50 Narodnogo Opolcheniya and Military Unit 22177 as his home address. The four-story beige and yellow building at the address is surrounded by a fence bearing the Defense Ministry’s five-pointed star. It’s home to the Military Academy of the Defense Ministry, one of Russia’s most prestigious schools for military intelligence officers.
Records show he bought and sold at least three vehicles between 2000 and 2004, including an Alfa Romeo.