The spies who beat Russian hackers at their own game

Dutch JSCU alerted United States to ‘Cozy Bear’ and ‘Fancy Bear’ attacks

The United States was first alerted to Russian hacking of Democratic National Committee offices in Washington in the summer of 2015, when the Dutch security services told it they'd had the hackers under surveillance since the middle of the previous year.

In an extraordinary counterintelligence coup against the Russian hacking group known as Cozy Bear or APT 29, the Dutch were able to pass data about their intrusions, as well as footage from a CCTV camera in the hackers' Moscow offices, to the US National Security Agency and the CIA.

The Democratic National Committee hack was subsequently confirmed by two independent research firms, and the Dutch intelligence is now believed to form part of the FBI investigation into possible Russian meddling in the 2016 US presidential election being led by Robert Mueller.

The Netherlands had succeeded where others had failed: they had hacked the Russian hackers, and watched them as they worked. One analyst described it as a gold mine

There were at least two hacks against the DNC by two separate, frequently competing Russian groups, sometimes working for different organisations but with the same broad agenda of disinformation. The first was when Cozy Bear accessed the DNC servers in mid-2015 and then simply monitored email traffic and internal chat for more than a year, unaware it was being watched by the Dutch cyberspooks. The second DNC hack, also monitored by the Dutch, was a joint assault in April 2016 by Cozy Bear and its fellow Russian group Fancy Bear, also known as APT 28 or Operation Pawn Storm.


The difference between the two groups is that Cozy Bear is believed to have arm’s-length links to Russia’s external intelligence service, the SVR, while Fancy Bear has links mainly to military intelligence, the GRU. Based on images of those coming and going from the Moscow offices, the Dutch concluded that this was an operation overseen by the SVR.

The Russians’ cyber break-in at the DNC was revealed in June 2016. Although it emerged that the US had been warned by an “unnamed western intelligence agency”, that organisation was believed at the time to be MI6, the UK’s secret intelligence service.

Some suggest the Dutch were annoyed that the Americans apparently leaked the involvement of a European ally, seemingly to boost the credibility of the hacking reports in the face of President Donald Trump’s refusal to acknowledge interference by the Russians.

The Dutch connection began to emerge at the start of this year, when media reports revealed that the Netherlands had succeeded where agencies around the world had failed: they had hacked the Russian hackers, and watched them as they worked. One analyst described it as a gold mine.

In a new era of ultracomplex political warfare, as the West is learning to its detriment, falling behind is not an option

Information has continued to emerge as tensions between President Vladimir Putin and the West have heightened, most recently as a result of the poisoning of the former Russian spy Sergei Skripal and his daughter, Yulia.

The Dutch group involved was the Joint Sigint Cyber Unit (JSCU), set up in 2014 as a collaboration between the domestic intelligence service, AIVD, and military intelligence, MIVD. The unit has about 300 staff at AIVD headquarters, near The Hague.

Politically, the establishment of the JSCU was an acknowledgment of the unprecedented speed at which information technology is changing the landscape of espionage and counterintelligence. It was also an acknowledgment that although Russia pioneered the toolkit of "asymmetric measures" for the 21st century, particularly cyberattacks and disinformation, these tools are, to a frightening extent, yesterday's news.

Advances in artificial intelligence and machine learning, the inevitability, sooner rather than later, of the quantum internet, and the growing availability of big data have set the scene for a new era of ultracomplex political warfare. And, as the West is learning to its detriment, falling behind is not an option.

In this particular case, however, the first crucial piece of intelligence gathered by the JSCU was far more basic than that: an old-fashioned tip about a group of Russian hackers apparently based in university offices near Red Square in Moscow.

The JSCU began probing the Russians’ cyberdefences in 2014. The first high-profile attack on the Americans that the Dutch monitored was in November that year, when the Russians hacked the state department. The Dutch watched as the Russians gathered the email addresses and log-in details of a clutch of senior civil servants, and then alerted the Americans. What followed was subsequently described by one NSA source as the cyber equivalent of hand-to-hand combat, as the Americans fought to repel the Russians in a struggle lasting almost 24 hours.

The Russians afterwards remained unaware of how the Americans had spotted the hack, and the Dutch surveillance continued.

The Dutch surveillance continued through the 2016 presidential election. It had lasted for perhaps two and a half years

The second hack watched by the Dutch was the attack on the White House, also in autumn 2014, in which the Russians gained access to the unclassified computer network, to some confidential memos, and to part of President Obama's email correspondence.

The DNC hacks, which were to cause such a political storm, with claims that they were aimed at undermining the Clinton campaign, began about six months later.

The Dutch surveillance continued through the 2016 presidential election. Then it was discontinued or compromised; which is unclear. It had lasted for perhaps two and a half years.

At some point in that surveillance, when the Dutch saw the scale of the Russian attacks, and the suspicion emerged that the presidential election might be a target, the AIVD contacted the NSA liaison at the US embassy in The Hague, to set up a meeting at which they broke the news of their operation.

The Americans then took the highly unusual step of opening a secure line from NSA headquarters, in the US, to AIVD headquarters, so that the Dutch data could be transferred to the United States.

There is also believed to have been a meeting between the chiefs of the AIVD and MIVD, Rob Bertholee and Pieter Bindt, the director of the NSA, Michael Rogers, and the US national intelligence director at the time, James Clapper, at which the intelligence share was discussed.

The US spy agencies had been blindsided by the attacks, which, said Chris Painter, who spent six years as the state department's top "cyber diplomat", was "one of the reasons why the Dutch access was so appreciated".

The Kremlin has rejected the reports of Dutch involvement. “Throwing coal into the furnace of anti-Russian hysteria that exists in America and elsewhere is not the most noble occupation,” said Putin’s press secretary, Dmitry Peskov.

Neither the AIVD nor the MIVD comments on specific operations.