Dutch security services say they expelled four Russians over a cyber attack plot targeting the global chemical weapons watchdog.
The operation by Russia’s GRU military intelligence allegedly targeted the Organisation for the Prohibition of Chemical Weapons in The Hague in April.
The OPCW has been probing the chemical attack on a Russian ex-spy in the UK.
The allegations are part of an organised push-back against alleged Russian cyber attacks around the world.
A joint statement from British Prime Minister Theresa May and her Dutch counterpart Mark Rutte said the alleged plot demonstrated “the GRU’s disregard for global values and rules that keep us all safe”.
The Netherlands has summoned the Russian ambassador for an explanation.
“By revealing this Russian action, we send out a clear message: Russia must stop this,” said Dutch Defence Minister Ank Bijleveld-Schouten.
Meanwhile, British Foreign Secretary Jeremy Hunt said the UK was discussing further sanctions against Russia with its allies.
Russia is yet to comment officially. However, its foreign ministry said one would follow shortly after it dismissed the allegations as “Western spy mania…. picking up pace”.
Earlier, the UK government accused the GRU of being behind four high-profile cyber-attacks whose targets included firms in Russia and Ukraine; the US Democratic Party; and a small TV network in the UK.
Russia has called those a “diabolical cocktail” of allegations.
What were the suspects doing?
The four suspects identified by Dutch officials had diplomatic passports and included two IT experts and two support agents, officials said.
They hired a car and parked it in the car park of the Marriot hotel in The Hague, which is next to the OPCW office, to hack into the OPCW’s wifi network, Major General Onno Eichelsheim from the Dutch MIVD intelligence service said.
Equipment in the car boot was pointed at the OPCW and was being used to intercept login details. The antenna for the operation lay under a jacket on the car’s rear shelf.
When the men were intercepted they tried to destroy one of the mobile phones they were carrying.
One of their mobile phones was found to have been activated near the GRU building in Moscow. Another carried a receipt for a taxi journey from a street near the GRU to the airport.
Maj Gen Eichelsheim said the group were planning to travel to Switzerland, to a laboratory in Spiez where the OPCW analysed samples.
They never made it. Instead, the four were immediately escorted out of the country, Maj Gen Eichelsheim said.
By security correspondent Gordon Correra
Counter-intelligence investigations – tracking another country’s spies – are normally among the most secret.
So this was a stunning press conference from Dutch intelligence revealing exactly how they caught four Russian intelligence officers, what they were carrying and what they intended to do.
It is part of a co-ordinated push with the UK and US to pile on the pressure on the GRU about its activities in the wake of the Salisbury poisoning.
The revelations also went way beyond just the targeting of the OPCW to provide an insight into the “close access hacking operations” by the GRU – in which they sent operatives abroad to get physically close enough to a target to intercept communications over wifi – as well as cyber activities coming out of Moscow.
Who are the suspects?
They were named by the MIVD as hackers Alexei Morenetz and Yevgeny Serebriakov, and support agents Oleg Sotnikov and Alexei Minin.
Officials said they were from the GRU’s Unit 26165, which has also been known as APT 28. The UK’s ambassador to the Netherlands, Peter Wilson, said the unit had “sent officers around the world to conduct brazen close access cyber operations” – which involve hacking into wifi networks.
He said the hackers were planning to travel on to the OPCW-certified laboratory in Spiez near Berne in Switzerland, where the Novichok nerve agent used in March’s attack on Sergei Skripal and his daughter in the British city of Salisbury was identified.
At the time the Russian operation was disrupted, the OPCW was investigating the Skripal case as well as an alleged chemical attack in April on the Syrian town of Douma near Damascus, the MIVD said. Russia has accused the UK of staging the incident.
“With its aggressive cyber campaigns, we see the GRU trying to clean up Russia’s own mess – be it the doping uncovered by Wada [the World Anti-Doping Agency] or the nerve agent identified by the OPCW,” Mr Wilson said.
What was on their computer?
A laptop seized from the suspects was found to have been used in Brazil, Switzerland and Malaysia.
In Malaysia it was used to target the investigation into the downing of Malaysia Airlines flight MH-17 over rebel-held territory in eastern Ukraine in 2014, killing all 298 people on board.
The cyber operation targeted Malaysia’s attorney general’s office and Malaysian police, Ambassador Wilson said.
Earlier this year Dutch-led international investigators concluded that the missile belonged to a Russian brigade. Russia has denied any involvement in the plane’s destruction.
Data from the laptop showed it was also present in the Swiss city of Lausanne where it was linked to the hacking of a laptop belonging to Wada, which has exposed doping by Russian athletes.
What is the GRU?
The GRU, also known as the Main Intelligence Directorate, is the intelligence arm of the Russian military.
It is different to the former KGB (now known as the SVR and FSB) as it conducts undercover military operations and collects intelligence operations around the globe.
In recent years the GRU has been accused of undercover involvement in the conflict in Ukraine, which saw the Russian annexation of Crimea in 2014.
It is believed that the two men accused of poisoning Russian ex-spy Sergei Skripal and his daughter Yulia, named as Alexander Petrov and Ruslan Boshirov, are GRU agents.
One of the men was subsequently identified by an investigative website as Colonel Anatoliy Chepiga, an officer in Russia’s GRU military intelligence.