The Dutch Intelligence Agency (AIVD) hacked the Russian Cozy Bear hackers (Their Building): Here’s The Story

On the 25th of January the Dutch newspapers Volkskrant and Nieuwsuur published a detailed story about the Dutch Secret Service AIVD hacking the Russian APT Group Cozy Bear, also known as APT29/The Dukes/The FSB. The AIVD was not only able to hack their computers but also the surveillance camera’s present in the building. In the hacking world this is the ultimate smoking gun. You can physically observe the person behind the keyboard performing it’s act. This is the story.

Timeline: What actually happened?

Summer 2014: A Hacker of the AIVD penetrates the network of a university building next to the Red Square in Moscow.
October 2014: Cozy Bear hackers prepare for an attack on the American State Department. They have obtained e-mail addresses and the login credentials of several civil servants. They manage to enter the non-classified part of the computer network. The Dutch directly inform the American Intelligence Agencies. What follows is an (epic) battle between attackers (Cozy Bear) and defenders (NSA and FBI) that has been well documenten in American media [1][2].
The Dutch continiously provide the Americans with new Command and Control server information the Russians use to exfiltrate data from their implants at the State Department. The Americans on their turn continously shut down connections to these servers. Eventually, the Americans manage to dispel the Russians from the Department, but not before Russian attackers use their access to send an e-mail to a person in the White House. And that is how the White House got hacked.
The Russian hackers manage to get access to the email server of Barack Obama, but fail to get access to the BlackBerry messages of Obama, said to contain State Secrets.
It’s the Dutch again that inform the Americans Cozy Bear has access to e-mail traffic with embassies and diplomats, agendas, notes on policy and legislation.
July 2015: Cozy Bear hacks the DNC.
Summer 2015: From their headquarters in Zoetermeer the AIVD hackers witness an ongoing hacking attack against the DNC. A security camera records every movement in the curved hallway of the university building the hackers are located in. Pictures are taken of every visitor. In Zoetermeer, these pictures are analyzed and compared to known Russian spies.
Autumn 2015: FBI warns the DNC. DNC does nothing.
Late 2015: NSA hackers manage to penetrate the mobile devices of several high ranking Russian intelligence officers. They learn that right before a hacking attack, the Russians search the internet for any news about the oncoming attack. According to the Americans, this indirectly proves that the Russian government is involved in the hacks.
June 2016: Crowdstrike confirms Cozy Bear and also Fancy Bear are in the DNC systems.
July 2016: WikiLeaks publishes 19 thousand emails and 8 thousand attachments of the DNC.

Bits and Pieces indicating this story might be real.
Numerous times the Dutch intelligence agencies are thanked by their American counter parts. This might be normal. But here’s a specific video dedicated to the AIVD director Rob Bertholee. In this video James Clapper explicitly says the Dutch (in return?) received valuable information surrounding the MH17 crash.

What might have happened here?
Anything could have happened here, I simply don’t know. But what sounds fairly plausible to me is the following:
It is known the Russian APTs often use Dutch infrastructure to conduct their operations. If you have visibility into the connections going to and from those computers you can see the complete traffic path. This way an active Command and Control server might have given the Dutch information about the usage of a ‘university building’ next to the Red Square. As is indicated in the story, the Dutch often gave the Americans information about new Command and Control servers used to attack the State Department. This tells us the Dutch had visibility on the total connection path of the actual data exfiltration channel. Meaning the source and including the hops in between. This could be achieved by access to these proxies, or interception capabilities on route. The Netherlands is a large internet hub, especially to connect to the American mainland with Europe.

How did this story reach the press?
The Volkskrant says it has spoken to 6 American and Dutch sources familiar with the material. On April 3th 2017 The Washington Post published an article detailing the above events: “ The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.”
Apparently after 9 months the Volkskrant was able to find Dutch sources confirming this story. But the ‘leak’ clearly started in the US by former officials. I’ve covered the current extremely dangerous situation in the US IC community, and this leaking might be a reason for Rob Bertholee to publicly acknowlegding he is more careful with sharing intelligence because of the in-stable political climate in the US.

Israel tipped the NSA its cyber weapons were being leaked through Kaspersky software. The story got leaked and the Israeli got furious.

This time the Dutch informed US intel the DNC/White House/State Department got hacked. The story leaked and now the Dutch are furious.

US intel is single handedly destroying extremely valuable information position of allied nations. Putin really gets what he wants. On one hand he gets information about how they are being spied upon, on the other hand established trust relations between western intelligence are being destroyed. These are things that happened during the collapse of the Soviet Union. Shouldn’t be happening now.

Good with computers. HUMAN. Founder @waarneming. Jack of all trades @bitdefender & building @scatsec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store