Dutch intelligence first to alert U.S. about Russian hack of Democratic Party

In the Summer of 2015, Dutch intelligence services were the first to alert their American counterparts about the cyberintrusion of the Democratic National Committee by Cozy Bear, a hacking group believed to be tied to the Russian government. Intelligence hackers from Dutch AIVD (General Intelligence and Security Service) had penetrated the Cozy Bear computer servers as well as a security camera at the entrance of their working space, located in a university building adjacent to the Red Square in Moscow.

Over the course of a few months, they saw how the Russians penetrated several U.S. institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the U.S. intelligence services, Dutch tv programme Nieuwsuur and de Volkskrant, a prominent newspaper in The Netherlands, jointly report on Thursday. This account is based on interviews with a dozen political, diplomatic and intelligence sources in The Netherlands and the U.S. with direct knowledge of the matter. None of them wanted to speak on the record, given the classified details of the matter.

Not only had Dutch intelligence penetrated the computer network of the hackers, they also managed to hack a security camera in the corridor. This allowed them to see exactly who entered the hacking room. Information about these individuals was shared with the US intelligence services. Dutch intelligence services consider Cozy Bear an extension of the SVR, the Russian foreign intelligence service, which is firmly controlled by President Putin.

The information shared by The Netherlands about the hacks at the DNC ended up on the desk of Robert Mueller, the Special Prosecutor leading the FBI investigation into possible Russian interference in the American elections. As early as December, the New York Times reported that information from, among others, Australia, the United Kingdom and The Netherlands had propelled the FBI investigation.

Gaining access to the network

In the summer of 2014, the Joint Sigint Cyber Unit (JSCU) was launched, a joint unit of AIVD and MIVD, the Dutch Military Intelligence and Security Service. Based in the Dutch city of Zoetermeer, it focuses on, among other things, obtaining intelligence through cyber operations. That same summer, the unit received a tip about a group of Russian hackers based at a university complex in Moscow. An AIVD hacking team, operating under the JSCU flag, subsequently succeeded in penetrating the internal Russian computer network. Not only did the AIVD gain access the computer network, it also hacked the security camera in the corridor.

After a few months, in November 2014, the Dutch watched as the Russian hackers penetrated the computer network of the State Department. After being alerted to this by the Dutch intelligence chiefs, it took the Americans over 24 hours to avert the Russian attack, after a digital clash which, years later, at a discussion forum in Aspen, the Deputy Director of the NSA would refer to as hand-to-hand combat . Basing itself on intelligence sources, the Washington Post wrote that a Western ally had been of assistance.

In the autumn of 2014, the Russians also gained access to the non-classified computer network of the White House. This allowed them to see confidential memos and non-public information about the itinerary of President Obama, and to at least part of President Obama's email correspondence. These hacks, too, were exposed by the Dutch intelligence services, which subsequently notified the Americans.

Cozy bear

The Russian hackers belong to a group that, over the years, the intelligence services and cyber security companies had referred to alternatively as The Dukes and APT29, but that for several years now has mostly been known as Cozy Bear. Most Western intelligence services assume that the group is controlled by foreign intelligence service SVR. For years, Western intelligence services and cyber security companies have been hunting the group, which has attacked government agencies and businesses around the globe, including in The Netherlands.

Together with another group of Russian hackers (Fancy Bear, also known as APT28), Cozy Bear is also held responsible for the cyberintrusion of the DNC. In April 2016, Fancy Bear accessed the Washington servers of the Democrats; Cozy Bear had done so as early as the summer of 2015. Once more, the group was caught red-handed by the Dutch, who again alerted their U.S. counterparts.

It is not clear why the hacks at the DNC could continue for so long despite the Dutch warnings. Last year, The New York Times reported that for months, the DNC had not taken the FBI warnings seriously. Eventually, cybersecurity company Crowdstrike, which was investigating the matter on behalf of the Democratic Party, also concluded that Cozy Bear and Fancy Bear were jointly responsible for the hacks. According to the US intelligence services, Russian officials eventually passed on the emails hacked by Fancy Bear to Wikileaks, which published them. The published emails caused a huge scandal in the American election campaign.

College Tour

Last Sunday on Dutch television programme College Tour, Rob Bertholee, head of AIVD, said that he had no doubt that the Kremlin was directly responsible for the Russian cyber campaign against U.S. government agencies. Bertholee as well as Pieter Bindt, who was heading MIVD at the time, personally discussed the DNC matter with James Clapper, at the time overall head of the US intelligence services, and Michael Rogers, who is soon to retire as the head of the NSA.

As of now, the AIVD hackers do not seem to have access to Cozy Bear any longer. Sources suggest that the openness of US intelligence sources, who in 2017 praised the help of a Western ally in news stories, may have ruined their operation. The openness caused great anger in The Hague and Zoetermeer. In the television programme College Tour, this month, AIVD director Bertholee stated that he is extra careful when it comes to sharing intelligence with the U.S., now that Donald Trump is President.