Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report.
MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was
shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.
Dutch newspaper De Volkskrant, which revealed
this new information last week, said the compromise of the Dutch
national police’s computer systems was not detected by Dutch police
themselves, but by the Dutch General Intelligence and Security Service
(AIVD). The paper said that neither the police nor the AIVD were willing
to confirm the breach, but added that it had confirmed the breach took
place through multiple anonymous sources.
On July 5, 2017, the Netherlands,
Ukraine, Belgium, Australia and Malaysia announced the establishment of
the Joint Investigation Team (JIT) into the downing of flight MH-17. The
multinational group stipulated that possible suspects of the downing of
flight MH17 would be tried in the Netherlands. In September 2017, the
AIVD said it possessed information about Russian targets in the
Netherlands, which included an IP address of a police academy system.
That system turned out to have been compromised, which allowed the
attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.
The police academy is part of the Dutch
national police, and non-academy police personnel can access the network
using their log-in credentials. Some sources suggest that the Russian
Foreign Intelligence Service (SVR) carried out the attack through a
Russian hacker group known as APT29, or Cozy Bear. However, a growing
number of sources claim the attack was perpetrated by the Main
Directorate of the Russian Armed Forces’ General Staff, known commonly
as GRU, through a hacker group known as APT28, or Fancy Bear. SVR
attackers are often involved in prolonged espionage operations and are
careful to stay below the radar, whereas the GRU is believed to be more
heavy-handed and faster. The SVR is believed to be partly responsible
for the compromise of United States government agencies and companies
through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020.
Russia has tried to sabotage
and undermine investigation activities into the MH17 disaster through
various means: influence campaigns on social media, hacking of the Dutch
Safety Board, theft of data from Dutch investigators, manipulation of
other countries involved in the investigation, and the use of military
spies. The Dutch police and public prosecution service were repeatedly
targeted by phishing emails, police computer systems were subjected to
direct attacks, and a Russian hacker drove a car with hacking equipment
near the public prosecution office in Rotterdam.
The above efforts are not believed to
have been successful. But the attack that came to light in September
2017 may have been. The infected police academy system ran “exotic”
(meaning uncommon) software, according to a well-informed source. The
Russians reportedly exploited a zero day vulnerability in that software.
After the incident, the national police made improvements in their
logging and monitoring capabilities, and in their Security Operations
Center (SOC). It is not currently known how long the attackers had
access to the national police system, nor what information they were
able to obtain.