“We’d never expected that the Russians would do this, attacking our vital infrastructure and undermining our democracy.”
Chris Painter — Former cyber official at the U.S. State Department
A Dutch Intelligence Agency directly witnessed the Russian involvement in the hacking of the Democratic Party, according to six (anonymous) American and Dutch sources. The story certainly sounds too good to be true but a Dutch expert told Intel Today that the narrative is entirely credible. Follow us on Twitter: @Intel_Today
RELATED POST: European Intelligence Agencies : The Netherlands
RELATED POST: Inside the Intrigue of ‘Russia’s Cyberattacks’
RELATED POST: On This Day — The Zimmermann Telegram (January 17 1917)
RELATED POST: Key figures in UK Sigint: Conel Hugh O’Donel Alexander
UPDATE (February 8 2018) — Max Smeets — a postdoctoral fellow in cybersecurity at the Center for International Security and Cooperation, Stanford University — just penned an analysis published by the Washington Post. Smeets suggests that the Dutch Government had a good reason to leak the information at this very moment…
“A well-placed leak — or just lucky timing? — It remains unclear whether the signaling was intentional in the Dutch case.
Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations.
And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.
There were certainly gains at home from this type of signaling.
Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success.
And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic.
Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March.
With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success.”
COMMENT from INTEL TODAY — There is apparently some confusion regarding the name and the authorities of the JSCU Unit that managed to access the Cozy Bear Network.
Indeed, Max Smeets writes:
“The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks.
This is not the case; the JSCU cannot “disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.
Of course, network exploitation and network attacks can be quite similar.”
According to the Dutch report, the unit within the JSCU which was responsible for hacking the Cozy Bear group is called “Computer Network Attack” (CNA).
Admittedly, the name of this unit is rather confusing, because the group is indeed not allowed to “disrupt, deny, degrade, or destroy.”
The latter authorities are only for the cyber unit of the Dutch armed forces, or the police under a new law that will pass later this year. [Dr Peter Koop] — END of UPDATE
The ‘Volkskrant’ Story
In the summer of 2014, a officer from the Dutch intelligence agency AIVD penetrated the computer network of the infamous Russian hacker group known as “Cozy Bear”.
In 2016, the Dutch agency directly witnessed the Russian involvement in the hacking of the American Democratic Party.
“The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything.”
It’s unknown what exact information the hackers acquire about the Russians, but it is clear that it contains a clue as to the whereabouts of one of the most well-known hacker groups in the world: Cozy Bear, also referred to as APT29.
Pictures were taken of every visitor. At the AIVD headquarters in Zoetermeer, these pictures were analyzed and compared to known Russian spies.
“The team uses a CNA, which stands for Computer Network Attack. These hackers are permitted to perform offensive operations: to penetrate and attack hostile networks.
It’s a relatively small team within a larger digital business unit of about 80-100 people.
All cyber-operations converge here. Part of the unit is focused on intercepting or managing sources, while another team is dedicated to Computer Network Defence.
In turn, this team is part of the Joint SIGINT Cyber Unit, a collaborative unit of the AIVD and the Dutch Military Intelligence and Security Service MIVD, of about 300 people.”
Q&A with Dutch Intel Expert Dr Peter Koop
Peter Koop studied law and as a historian has researched a wide range of topics, including signals intelligence and communications security. In 2012, he started the weblog Electrospaces.net which is dedicated to these issues.
Peter Koop is one of the few people in the world who has systematically and critically studied the documents from the Snowden revelations and the press coverage they received. From this perspective he also writes about the new “Dutch Intelligence and Security Services Act”.
INTEL TODAY — About the Volkskrant story — Considering the Dutch law as well as the history (See Timeline below) and the technical ability of the Dutch Intelligence services, is there anything that makes the story suspicious?
Dr Peter Koop — The story of the Dutch police assisting Russian intelligence in tracing the Zeus group is (as far as I can see and assess) not related to the AIVD hack of Cozy Bear.
Dutch intelligence agencies — AIVD and MIVD — are legally allowed to conduct hacking operations since 2002. Since 2014 they have combined their forces into the new joint JSCU unit.
Dutch police however is not allowed to conduct hacking operations (although the law will be changed soon), so the operation against the Russians was done by intercepting traffic from the servers of a Dutch hosting provider.
INTEL TODAY — Did you know that the Joint SIGINT Cyber Unit was conducting this kind of attacks? Is it legal and/or specified in the Dutch Law?
Dr Peter Koop — See previous answer. Yes it was known. The oversight commission CTIVD had prepared some reports about the hacking operations of the JSCU and previously those of AIVD.
INTEL TODAY — How hard do you think it was to succeed in the Computer Network attacks on the Cozy Bears? Do you think this group work for the Russian Intelligence Services?
Dr Peter Koop — That’s difficult to say for me as an outsider, but Cozy Bear hackers are not members of Russian intelligence, but rather some kind of “cyber mercenaries”.
This means they have less need to protect themselves as thorough as intelligence officers would. Also, they worked from a space inside a university building – all that makes them less secure, so it’s certainly very well possible that JSCU was able to find ways to hack them.
From the Volkskrant report it became clear that Cozy Bear apparently works for the Russian foreign intelligence service SVR – SVR officials were apparently identified through the CCTV footage.
INTEL TODAY — In your opinion, what makes the story credible?
Dr Peter Koop — First of all, it was already reported by US media earlier on that a European ally had provided valuable intelligence that attributed the hacking operations to the Russians.
Secondly, Both Dutch reporters of this story are very experienced and credible and have many connections with people from the intelligence services.
INTEL TODAY — Do you think that Evgeniy Bogachev work for Russian Intel? “UMBRO” was identified as Evgeniy Bogachev in 2014. Is it a coincidence?
Dr Peter Koop — That’s very well possible, given the fact that he is still at large. But of course for me impossible to proof.
The identification of Umbro as being Bogachev wasn’t done by the Dutch, but by an international cooperation under Operation Tovar.
The Volkskrant story is not very clear about this, but it seems that Dutch police was only directly involved for intercepting the ICQ communications and not in identifying who Umbro actually was.
INTEL TODAY — FSB colonel Sergey Mikhailov was the main contact of the Dutch-FSB-FBI collaboration. Do you think it is a coincidence if he was arrested for treason in December 2016?
Dr Peter Koop — That is difficult to say. Allegedly he was arrested for having helped the CIA in tracking Russian hackers, which is similar to what he was doing in cooperation with the Dutch, and also his job as deputy head of the information security department of the FSB.
Therefore, it’s also very well possible that is was because of internal rivalries, and maybe we shouldn’t even exclude the option that he was a double agent for the CIA.
2008 — The Dutch Police asked other countries for the ICQ numbers of known cyber criminals. Within 3 months, authorities from the US, Germany, Britain, the Ukraine and Russia provided a total of 436 ICQ numbers.
2009 January — The public prosecutor and an examining judge approved the interception of communications associated with these numbers. One particular ICQ number — Lucky12345 — appears to act as the leader of the cyber crime network.
2009 — The cooperation on cyber-criminality between the Dutch, Russia (FSB) and the US (FBI) begins. The first criminal the Dutch police and the Russians tried to track down is Russian hacker using alias Lucky12345, best known as the designer of the ZeuS malware. The police gave him the codename “Umbro”.
2013 — Dutch investigators noticed that the ZeuS virus is not just used for stealing money anymore, but also for finding out very specific information about government officials of Russia’s neighbours. Dutch police and the FBI became convinced that “Umbro” (Bogachev) had started working for Russian intelligence.
2014 — The Joint SIGINT Cyber Unit (JSCU) is created as a joint venture of AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service).
2014 (Summer) — A hacker from the Dutch intelligence agency AIVD penetrates the computer network of the infamous Russian hacker group Cozy Bear.
2016 June — The DNC hack is revealed by the Washington Post
October 31 2016 — The Obama administration used the Red Phone — for the very first time — to send a message to Moscow. According to a senior U.S. official, part of the message reads: “International law, including the law for armed conflict, applies to actions in cyberspace. We will hold Russia to those standards.”
December 6 2016 — FSB Colonel Sergei Mikhailov and Kaspersky expert Ruslan Stoyanov are arrested in Moscow for treason. Mikhailov was the most important Russian contact for the Dutch police. According to Russian press reports, Mikhailov and Kaspersky expert Ruslan Stojanov have leaked classified information to US intelligence.
December 29 2016 — OFAC (the US Office of Foreign Assets Control ) updates the ‘Specially Designated Nationals List’ to include four members of the GRU and two hackers ( Belan Aleksei and Evgeniy Bogachev)
January 6 2017 — The US IC releases a joint report outlining how Russian President Vladimir Putin aimed to hurt Hillary Clinton and help President-elect Donald Trump by using by “an influence campaign” which included hacking Democratic groups and figures. The evidence-free report is described by Former NSA and CIA Head General Michael Hayden as “a brick short of a load.”
Dutch agencies provide crucial intel about Russia’s interference in US-elections
“Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections. For years, AIVD had access to the infamous Russian hacker group Cozy Bear. That’s what de Volkskrant and Nieuwsuur have uncovered in their investigation.”
Dutch Intel Agency Witnessed 2016 DNC Attack by Russian Hackers — Q&A with Dutch Intel Expert Dr Peter Koop
Dutch Intel Agency Witnessed 2016 DNC Attack by Russian Hackers — Q&A with Dutch Intel Expert Dr Peter Koop [UPDATE]