Russia-linked APT breached the network of Dutch police in 2017

Russia-linked cyberspies breached the internal network of Dutch police in 2017 while the authorities were investigating the crash of the MH-17.

Russia-linked threat actors breached the internal network of Dutch police in 2017 during the investigation into the MH-17 crash. The intrusion was uncovered by AIVD, the Dutch intelligence service, but was not disclosed by Dutch authorities until now. The Dutch newspaper the Volkskrant first reported the news.

The hackers exploited a vulnerability in an “exotic software” to compromise a server of the Dutch Police Academy, then they made lateral movements to access other systems into the main Dutch police network.

The intrusion was uncovered by the Dutch intelligence service AIVD, the government experts discovered that a Dutch police IP address was connecting to servers operated by Russia-linked APT.

According to sources of the Volkskrant, the attack was conducted by the Russia-linked APT29 (aks SVR, Cozy Bear, and The Dukes). APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

However, Volkskrant doesn’t exclude the involvement of another Russia-linked APT, the APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM). The group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. APT28 was also involved in the string of attacks that targeted 2016 Presidential election, experts link the APT to the Russian military intelligence service (GRU).

According to Volkskrant, at the time of the intrusion, both the AIVD and Dutch Police were not able to detect the intrusion.

Sources told Volkskrant that the two agencies were not aligned when dealing with who and how to handle the intrusion and respond to the incident.

“Sources also described several moments of friction between the two Dutch agencies when it came to deciding on how to handle the intrusion and subsequent clean-up, with the AIVD wanting to keep the hackers under surveillance while police officials wanted them removed from their systems due to the possibility of compromising sensitive cases.” reported The Record.

Dutch authorities have yet to confirm the information shared by the newspaper.

July 17, 2014, Flight MH17, traveling from Amsterdam to Kuala Lumpur, was shot down by a missile in mysterious circumstances. Flight MH17 was flying over a conflict zone in eastern Ukraine when a Russian-made missile hit it. On October 13, the Dutch Safety Board (DSB) who investigated the incident published a detailed report.

According to Trend Micro, the Pawn Storm APT group has targeted the Dutch Safety Board to gather information regarding the status of the investigation.

Several other Dutch organizations were targeted by Russia-linked APT groups on multiple occasions.

In January 2018, the newspaper de Volkskrant reported that the Dutch intelligence service AIVD in 2014 monitored the activity of the Russian APT Cozy Bear (aka APT29) and its efforts to hack into systems at the US Democratic Party‘s and US government servers.

According to the newspaper, AIVD provided the FBI with crucial information about Russian interference with the American elections.

According to a report published by the AIVD, the activities carried out by Russia-linked threat actors pose a serious threat to their country. Earlier this year, the Dutch government to SVR agents working at the Russian embassy in The Hague were expelled.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Epsilon Red ransomware)

Source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s