adimas - Fotolia

Detail of Dutch reaction to Russian cyber attack made public deliberately

Four Russian intelligence officials were expelled from the Netherlands after an attempted hack on the global chemical weapons watchdog. The Dutch government has been open about the detail

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe: Russia banks on electronic payments

Four Russians attempted to break into the networks of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, while it was conducting investigations on the use of chemical weapons in Syria, as well as the poisoning of Sergei Skripal.

Dutch authorities have revealed significant details on the attempted hack, which was was supposed to take place in April before being thwarted by the Dutch military intelligence agency (MIVD), after cooperation with intelligence agencies in the UK and the US.

Dutch military intelligence chief Onno Eichelsheim said it is difficult to say what the reason for targeting the OPCW specifically was.

“Looking at the technical evidence, it’s impossible to be sure,” he said. But, he said, it did occur at the same time as the investigations into the Skripal case in the UK and the chemical attack in Douma, Syria.

Striking openness

The level of openness from the MIVD about the operation is striking. During a press conference, the intelligence service named the four suspects and revealed almost every detail about the attempted attack.

Shown live on screen were receipts from taxis the hackers took in Russia to Russia’s military intelligence service (GRU) headquarters, and all WiFi networks their laptops connected with during the operation.

According to the MIVD, the decision to make more information public than usual was made to “make it harder for Russian intelligence to operate internationally”.

“This operation against the OPCW is unacceptable,” said Ank Bijleveld, minister of defence in the country. “By revealing these Russian actions, we send a clear message: Russia must stop this.”

Read more about cyber security in the Netherlands

The four Russians came to the Netherlands in April on diplomatic visas. They were accompanied by an employee with the Russian embassy. After the attempted hack, the Russians were immediately expelled from the country and were told to leave their equipment behind, giving the intelligence agencies a detailed look into their mode of operations.

Breaking into WiFi networks

The attackers used a rental car parked close to the OPCW building in The Hague. The hackers then attempted to use Pineapples to break into the WiFi network of the organisation.

Pineapples are devices usually used for intercepting network traffic. The hackers were also caught using antennas and signal amplifiers, and other equipment the MIVD considers “specifically used during hacking operations”.

During the operation, the MIVD found laptops with extra batteries (which the MIVD said were purchased in the Netherlands), and mobile phones with 4G connectivity, which the hackers tried to destroy during their arrest.

Eichelsheim reiterated that the excuse the Russian might’ve simply been on holiday won’t fly. “They were caught with very specific equipment, entered on diplomatic visas, and were found carrying €20,000 and $20,000 in cash. That’s not a holiday.”

Other hacks

On the laptops and phones confiscated during the operation, the MIVD gained much insight in other hacks by the Russians.

Analysing previously used WiFi connections, they could connect the group to earlier attacks in Brazil and Malaysia that were connected to the MH17-disaster.

The Netherlands has officially accused Russia for bringing down the passenger plane in 2014.

Professional amateurs

Many security experts have already commented on the seemingly amateurish way the hackers worked. They did little to hide their identities, and used fake passports with sequential serial numbers. Left on their equipment were many clues about their connections to the GRU.

Several of the used cell phones were activated inside GRU headquarters. This might point out the attack could be a cover-up for something else, a question the MIVD neither confirmed nor denied during the press conference.

Not everyone agrees with that observation. “Previous investigations into the GRU and related groups like APT28 tell us these are professionals who approach these hacks in a very dedicated way,” said Erik de Jong, cyber security expert at Fox-IT, which is in charge of digitally protecting Dutch governmental organisations.

“In this specific attack, errors were made, but don’t forget the MIVD presents us with a shortened version of only the things that went wrong for the attackers, not the things that went right.”

De Jong said it can be a good thing that the intelligence agencies have chosen to make so much information public. “Security companies have warned about espionage for years, but it’s always been an invisible problem,” he told Computer Weekly. “That makes it difficult for those outside the security industry to view the threat. Operations like these make espionage more visible.”

Spearphishing

It’s still unclear why the Russians chose to gain physical access to the OPCW’s network, but British intelligence said Russia tried spearphishing tactics first, which were ultimately unsuccessful.

How the four men were to penetrate the WiFi network is another mystery, though another cyber security expert, Frank Groenewegen, speculated the use of zero day exploit on routers or simply guessing passwords.

Official debate

The Netherlands has summoned its Russian ambassador. “Undermining the integrity of international organisations is unacceptable,” said Dutch defence minister Ank Bijleveld. She added that the Netherlands supports the UK conclusion that the GRU undermines the international justice system with these sorts of cyber operations.

Dutch politicians have reacted to the news in unsurprising ways. D66 MP Kees Verhoeven, who often takes on cyber security related matters, announced he has asked for an official debate in the Dutch House of Parliament.

“This is the umpteenth example of aggressive and shameless behaviour of Russia on European and Dutch soil,” he said. He is supported by almost every other MP in both the administration and he opposition.

Russia has refuted the allegations, dismissing them as “fantasies”.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close