Dutch intelligence services had eyes and ears for years on the Russian outfit that hacked the Democratic National Committee, even infiltrating a surveillance camera at the Cozy Bear headquarters and recording hackers’ faces, Dutch media reported.
That trove of intelligence gathered by the Netherlands since 2014 has been crucial to the U.S. investigation into the Russian campaign influence operation, the reports from Nieuwsuur and Volkskrant said.
Cybersecurity company CrowdStrike reportedly first noticed the DNC hack by two Russian intelligence groups on June 14, 2016; CrowdStrike CTO Dmitri Alperovitch wrote in a blog post at the time that they were called upon by the DNC to investigate a suspected breach and “immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR.”
“In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter,” Alperovitch said. “…Both adversaries engage in and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.”
According to the Dutch media report, Dutch intelligence agency AIVD first hacked into Cozy Bear, situated in a university building next to Moscow’s Red Square, in summer 2014. About 10 hackers were there at any given time, and the Dutch hacked into a security camera showing who entered and exited the room. Pictures were taken of all visitors; these were compared to images of known spies.
In November 2014, the Volkskrant report said, Dutch intelligence were watching as the Russian hackers geared up for their cyberattack on the State Department. The Dutch tipped off U.S. intelligence, and a 24-hour cyberbattle ensued between the Russian attackers and U.S. defenders, with Dutch spies in their corner. The State Department attack was beaten back, but not before Cozy Bear had phished the White House by sending an email to a staffer who opened it and clicked on a link within, believing it was from a State colleague.
The Dutch alerted U.S. intelligence that Cozy Bear had gained access to White House email servers. The head of AIVD said there was “no question” the Russian government was behind Cozy Bear’s hacking.
Grateful Americans sent cake and flowers to the Dutch intelligence service, the report said. In 2016, the AIVD chief discussed the operation in person with Director of National Intelligence James Clapper and National Security Agency Director Adm. Mike Rogers.
The Dutch intelligence services now “don’t feel understood by the Americans” and are “a lot more cautious when it comes to sharing intelligence,” the report said, adding, “They’ve become increasingly suspicious since Trump was elected president.”
The Dutch infiltration of Cozy Bear, which lasted up to two and a half years, is no longer occurring, said Volkskrant.