News report claims Dutch spies hacked Russian cyberwar operation and pwned their CCTVs, then recorded video of Russian government hackers attacking the DNC

Dutch left-leaning daily de Volkskrant has published a remarkable — but thinly sourced — report claiming that a Dutch spy agency called the General Intelligence and Security Service of the Netherlands (AIVD) hacked into the network of a notorious Russian spy group called "Cozy Bear" or APT29, thought to be an arm of the Russian spy apparatus, and obtained direct evidence of Russian state involvement in the hacking of the DNC during the 2016 US election campaign.

According to the newspaper report, which obliquely cites US and Dutch intelligence sources, the Dutch spy agency hacked the networks of a building in a Moscow university that was believed to be home to Cozy Bear and compromised its security cameras, allowing them to watch everything that happened in the building. This access allowed them to photograph the faces of the hackers working on the attack and match them with dossiers of people know to be Russian spies and government officials.

The Dutch spies' access allowed them to witness first-hand attacks on the US State Department, White House and DNC. They tipped off the NSA, who engaged in "hand to hand combat" with the Russian attackers, shutting down servers and blocking IP addresses in a pitched fight.

Elements of this story have already leaked, but without attribution to the Dutch spy agency (many assumed that Israeli spies were the ones who'd hacked the cameras and made the IDs). But US spies, frustrated at the Trump administration's refusal to acknowledge Russian electoral meddling, have leaked parts of the story to the US press, which has infuriated AIVD officials, who are upset that the US has rewarded their help by outing them and their methods. Between these hurt feelings and Trump's many public policy gaffes and excesses, relations between the two countries' spy agencies are reportedly strained.

There are some caveats here: first, much of this (the CCTV hacking and attribution) was already disclosed, but without the Dutch connection. Second, the de Volkskrant article is a bit…off. It is presented in a very rough translation, which I would attribute to the vagaries of Google Translate, except that there's a named translator, and given that most Dutch people of my acquaintance speak better English than I do, that's hard to understand. The second problem (which may be a translation issue, see problem number one) is that the sourcing on this story is buried deep, with the most glancing and oblique references to sources in Dutch and US intelligence, but no sense of which parts of the story come from whom, whether any of it was second-sourced, whether it draws on earlier leaks, etc.

I'm not saying it's not true, but I am saying that as with all stories of this nature, caution is warranted. An ironclad axiom of information security is that "attribution is hard," and the stakes here are very high.

AIVD's intrusion into the network gave them access to computers used by the group behind Cozy Bear, and to the closed-circuit television cameras that watched over them, allowing them to literally witness everything that took place in the building near Red Square, according to the report. Access to the video cameras in a hallway outside the space where the Russian hacking team worked allowed the AIVD to get images of every person who entered the room and match them against known Russian intelligence agents and officials.

Based on the images, analysts at AIVD later determined that the group working in the room was operated by Russia's Foreign Intelligence Service (SVR). An information and technology sharing arrangement with the National Security Agency and other US intelligence agencies resulted in the determination that Cozy Bear's efforts were at least in part being driven by the Russian Federation's leadership—including Russian president Vladimir Putin.

The data collected by AIVD began to pay off in November of 2014, when the agency alerted US intelligence officials that the Cozy Bear group had obtained log-in credentials and e-mail from US State Department employees. enabling the National Security Agency, the Federal Bureau of Investigations, and the State Department to shut down the attack within 24 hours. A later attack on the White House was also picked up by the AIVD analysts, de Volkskrant's Huib Modderkolk reported.

Dutch agencies provide crucial intel about Russia's interference in US-elections – Media [Huib Modderkolk/de Volkskrant]

Candid camera: Dutch hacked Russians hacking DNC, including security cameras [Sean Gallagher/Ars Technica]

(Image: FaceMePLS, CC-BY)