The “clumsy” move – thought to have been carried out by hackers employed by Russia’s GRU military intelligence agency – was accompanied by repeated attempts to gain information about the Defence, Science and Technology Laboratory”s (DSTL) work to develop a Covid-19 vaccine. In her first visit outing for seven months, the Queen and Duke of Cambridge visited the top secret site ten days ago.
The 94-year-old monarch and her grandson formally opened Porton Down’s new Energetics Centre, which develops weapons and tactics for counter intelligence operations.
The site is so secret that no cameras were allowed inside and they were given a private tour.
However last night sources working for Britain’s intelligence agencies revealed that Russia had attempted to send “falsified emails” in an attempt to ascertain information from the site.
One, supposedly sent by a Ministry of Defence officIal, attempted to learn the name of the member of staff who would be liaising for an upcoming “royal visit”.
The other, which purported to be sent from Army HQ, Andover, cited the name of a classified chemical being used by scientists to develop a Covid-19 vaccine, and asked whether the Army should prepare itself to assist in “restocking”.
Inaccuracies within the emails, coupled by a “wrong tone”, immediately alerted their recipients and the emails were discarded.
Both emails were traced back to a GRU-run facility located just 10 miles from Moscow.
Russia is well -known for launching cyber operations which seek to destabilise the West. They range in scope from so-called influence campaigns to espionage and sabotage.
The nature of the latest attempts shows how it is pursuing a “multi-strand” approach to its cyber campaigns.
In July, the National Cyber Security Centre confirmed that Russia, using a group called APT29, had attempted to infiltrate the DSTL in a sophisticated cyber attack.
The group, also linked to the GRU, used custom malware known as ‘WellMess’ and ‘WellMail’ to target the laboratory and production facilities in the US and Canada all working on a vaccine.
“What we’ve been seeing since July’s disclosures is the continuance of these attempts through other means,” said the intelligence source last night.
“The format has been to send falsified emails with the aim of either eliciting information or causing disruption. This contrasts significantly in the level of sophistication shown before July. They are clumsy. They are, nevertheless, linked to GRU facility located 15 km east of Moscow. “
The source added: “One example is an email which purported to come from Whitehall inquiring about who at DSTL would be leasing for a royal visit.
“The message did not specify that it was the Queen who would be visiting
“The second appeared to be sent from Army HQ in Andover, which specified a particular chemical and asked about supplies.
“These messages were quickly identified as suspicious – not only because of their questionable content but also because of their tone, which was rather high-handed and jarred with standard practice.”
Last week the US Department of Justice announced that it had charged six Russian military officers who “sought to disrupt through computer hacking the French election, the Winter Olympic Games and US businesses” as well as attacking Ukraine’s power grid.
In a joint operation, Britain revealed that Russia had also targeted the Tokyo Olympics, including The the Games’ organisers, logistics services and sponsors. which were suspended due to the Coronavirus pandemic.
Announcing the charges on Monday Assistant Attorney General John Demers, the Justice Department’s top national security official, said: “No country has weaponised its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.”
Last month a Nato meeting examining Russian cyber activity concluded that the distinction between state and non-state actors was “no longer helpful or relevant”.
A DSTL spokesperson said: “DSTL never comments on security and cyber-related events. We routinely receive a wide range of low-level spam.”