Dutch team infiltrated Russian hacker group, witnessing U.S. election meddling, DNC attack: report

Hacker with laptop
"Hacker And Laptop Waiting For Something" Image: Benoit Daoust; via Twitter/@CC_DO

This story was updated to reflect that the JSCU team may have gained access to the Russian hacker network just before the crash of MH17.

Two Dutch intelligence services uncovered substantial evidence detailing how a Russian-backed hacking group infiltrated the Barack Obama White House, the U.S. Department of State, and the Democratic National Committee, according to a ground breaking report from broadcaster NOS and newspaper Volkskrant. The evidence was uncovered by a Dutch cyber defense team gained access to the "Cozy Bear" hacker group's systems, including a hallway security camera that allowed the Dutch team to maintain visual surveillance of the hackers.

Information collected by the Dutch Joint Sigint Cyber Unit (JSCU) was turned over to the NSA, CIA, and FBI, and helped form the basis for the U.S. special counsel investigation examining claims of Russian meddling during the 2016 presidential election campaign battle between current U.S. President Donald Trump and former Secretary of State Hillary Clinton. The JSCU, comprised of members from the AIVD and MIVD intelligence agencies, kept watch over Cozy Bear from anywhere between 12 to 30 months.

It started in the summer of 2014 "most likely before" the crash of Malaysia Airlines flight MH17, the Volkskrant reported. The flight, which originated in Amsterdam, was shot out of the sky over the Ukraine. The incident was suspected to be the act of Russian-backed separatists or Russian military.

That summer, the JSCU got word of an elite Moscow-based hacker group working from a university campus near Red Square. By November, the JSCU had infiltrated the Russian network, and accessed the camera, witnessing how, and likely who was involved in a massive cyber attack carried out against the United States.

"The NSA defenders, aided by the FBI, prevailed over the intruders, who were working for a Russian spy agency," the Washington Post wrote of the U.S. counter-attack, which took over a day to thwart. "The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials," the Post noted.

Cozy Bear, alternatively known as "The Dukes" and "APT29", is believed to be responsible for hacking attempts in the Netherlands, the NOS/Volkskrant report stated. They partnered with "Fancy Bear" to attack the DNC twice, including a 2015 attempt that was discovered by the Dutch team and revealed to the FBI.

The JSCU is no longer able to monitor Cozy Bear, but the Dutch news report did not detail why. However, the news outlets reported that Dutch officials were angered by the unnamed sources in the Washington Post report as that may have compromised the Dutch team. The story was published months after Trump took office.

It has led to the Dutch intelligence agencies becoming more hesitant at sharing information with U.S., particularly with Trump in the White House, the Volkskrant stated.

Former FBI Director and current special counsel Robert Mueller just this week indicated he would like to interview Trump as part of the Russia investigation, CNN reported. Mueller also wants to speak with former NSA head Michael Flynn, who pleaded guilty to lying to FBI investigators during a January 24, 2017, meeting, and Steve Bannon, Trump's former White House Chief of Staff.