A rare insight into cyber espionage: Dutch intelligence and two Russian bears
6 Apr 2018|

In the European summer of 2014, cyber operators from the Dutch Joint Cyber SIGINT Unit—operated by Dutch intelligence and security services—gained access to APT29, better known as Cozy Bear. This well-known Russian hacker group targets Western governments and industry.

With front row access, the Dutch watched the Russians trying to gain access to the US State Department. Dutch authorities warned the Americans and helped the State Department defend its IT infrastructure. Later, the Russians gained access to the White House’s network and confidential information about President Barack Obama’s travels.

In April 2016, Fancy Bear—another Russian hacker group—gained access to the Democratic National Committee’s (DNC) computer servers. The Dutch again warned the Americans.

A year later, the Fancy Bear hack became one justification for the FBI’s investigation into Russian interference in the US elections. US internet security company Crowdstrike, which had been contracted by the DNC, eventually attributed responsibility for the interference to the two Russian bears.

The Dutch digital spies not only watched the online activities of Cozy Bear, they also hacked a CCTV camera that let them watch everyone going into and out of its office. They were able to identify many as employees of the Russian Foreign Intelligence Service.

But Dutch access to Cozy Bear’s activities dried up sometime between 2016 and 2017.

The Dutch daily newspaper Volkskrant and news show Nieuwsuur broke the story in January this year, interviewing Dutch and American officials.

That’s not the end of the story.

Without being explicit, the journalists suggested that indiscrete remarks by senior US government officials cost Dutch intelligence its coveted access to Cozy Bear. At a 2017 Aspen Institute event, NSA Deputy Director Richard Ledgett had said ‘there is no question that Russian were behind the hacks … the proof is irrefutable’.

He also referred to the attack on the State Department, claiming that the NSA was ‘able to see [the hackers] teeing up new things to do’. He considered that ‘a useful capability to have’. The Washington Post later reported that the US could see the hackers thanks to ‘a Western ally’.

It’s possible this tipped off the Russians. But experts also note that such digital access comes and goes. Signals intelligence uses an unattended open door to gain access; it doesn’t break a window. So, when someone locks the door again, access is lost. It might not have been the Americans’ fault.

Indiscretion also occurred on the Dutch side. Sometime in 2017, someone tipped off journalists about the cyber coup and then many more officials were prepared to talk about it, albeit anonymously.

This is a rare situation where the attribution of cyber meddling—in this case to the Russian state—is unquestioned. But a situation where the evidence is more ambiguous is easy to imagine. Public disclosures could easily be part of a strategic influence operation.

In this case, there were also domestic reasons that the Dutch government might want to make the information public.

Very soon after taking office, Kajsa Ollongren, the new Dutch Minister for Home Affairs—which oversees the AIVD—warned parliament about Russian operations to influence public opinion in the Netherlands. Because she couldn’t provide many details, MPs and journalists questioned the credibility of her claims. Members of the government  may have wanted to make the evidence public.

Also, legislation giving the intelligence and security services new powers will become law on 1 May. Popularly described as the ‘dragnet law’, it will allow the services to intercept networked/cabled communication from large, imprecisely defined areas such as an entire suburb.

Civil rights watchdogs like Bits of Freedom and Amnesty International argue that the law doesn’t safeguard against invasions of privacy and indiscriminate surveillance. They campaigned for a consultative referendum. Supporters of the new law may have believed that publicising the intelligence coup would boost their case. On 21 March a 49.4% majority voted against the law and 46.5% voted in favour.

And then there’s the Russian–Dutch relationship which was quite cool before 2014, but the downing of MH17 took the temperature to well below freezing. Since then, the Netherlands has been a strong supporter of EU sanctions against Russia. The Netherlands is also one of a handful of NATO members deploying troops in Eastern Europe.

Public disclosures of cyber espionage are rare and unlikely to pass without repercussions. Dutch researcher Sergei Boeke noted a few days after the Nieuwsuur–Volkskrant story that Dutch security services were concerned about ‘how and where retaliation will take place’. Very soon after that, the main Dutch banks, the tax authority and the government’s Digital ID system fell victim to sustained distributed denial-of-service (DDoS) attacks. The Central Bank issued a warning of a flood of phishing emails, which tend to follow such attacks.

Commentators immediately pointed to Russia as the likely culprit but an 18-year-old Dutch citizen was detained by authorities.

However the information was leaked, the disclosure also caused ructions in US–Dutch relations. The same week as the disclosure, the head of one Dutch intelligence service acknowledged that significantly less information is shared with the current US administration.

Furthermore, Max Smeets wrote in the Washington Post that there may be a backlash in the US. The hack provided critical evidence in the FBI investigation into Russian influence in the 2016 elections—an investigation that President Donald Trump wishes would just go away.

In 2015, a UN group of governmental experts agreed on a set of norms for ‘responsible behavior of States’. One of these says that ICT incidents should be considered with all relevant information. That includes the larger context of breaches and the challenges of identifying and declaring who’s responsible. That’s good advice when considering leaks as well.