Russian actors had access to Dutch police computer network during MH17 probe

Flight MH17

Russian hackers compromised the computer systems of the Dutch national police while the latter were conducting a criminal probe into the downing of Malaysia Airlines Flight 17 (MH17), according to a new report. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur, which was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed.

Dutch newspaper De Volkskrant, which revealed this new information last week, said the compromise of the Dutch national police’s computer systems was not detected by Dutch police themselves, but by the Dutch General Intelligence and Security Service (AIVD). The paper said that neither the police nor the AIVD were willing to confirm the breach, but added that it had confirmed the breach took place through multiple anonymous sources.

On July 5, 2017, the Netherlands, Ukraine, Belgium, Australia and Malaysia announced the establishment of the Joint Investigation Team (JIT) into the downing of flight MH-17. The multinational group stipulated that possible suspects of the downing of flight MH17 would be tried in the Netherlands. In September 2017, the AIVD said it possessed information about Russian targets in the Netherlands, which included an IP address of a police academy system. That system turned out to have been compromised, which allowed the attackers to access police systems. According to four anonymous sources, evidence of the attack was detected in several different places.

The police academy is part of the Dutch national police, and non-academy police personnel can access the network using their log-in credentials. Some sources suggest that the Russian Foreign Intelligence Service (SVR) carried out the attack through a Russian hacker group known as APT29, or Cozy Bear. However, a growing number of sources claim the attack was perpetrated by the Main Directorate of the Russian Armed Forces’ General Staff, known commonly as GRU, through a hacker group known as APT28, or Fancy Bear. SVR attackers are often involved in prolonged espionage operations and are careful to stay below the radar, whereas the GRU is believed to be more heavy-handed and faster. The SVR is believed to be partly responsible for the compromise of United States government agencies and companies through the supply chain attack known as the SolarWinds cyber attack, which came to light in late 2020.

Russia has tried to sabotage and undermine investigation activities into the MH17 disaster through various means: influence campaigns on social media, hacking of the Dutch Safety Board, theft of data from Dutch investigators, manipulation of other countries involved in the investigation, and the use of military spies. The Dutch police and public prosecution service were repeatedly targeted by phishing emails, police computer systems were subjected to direct attacks, and a Russian hacker drove a car with hacking equipment near the public prosecution office in Rotterdam.

The above efforts are not believed to have been successful. But the attack that came to light in September 2017 may have been. The infected police academy system ran “exotic” (meaning uncommon) software, according to a well-informed source. The Russians reportedly exploited a zero day vulnerability in that software. After the incident, the national police made improvements in their logging and monitoring capabilities, and in their Security Operations Center (SOC). It is not currently known how long the attackers had access to the national police system, nor what information they were able to obtain.

Author: Matthijs Koot | Date: 17 June 2021 | Permalink

Ukraine, Russia, spied on Dutch investigators of MH17 plane disaster, TV report claims

MH17 crashDozens of Dutch security officers, legal experts, diplomats and other civil servants were systematically spied on by Ukrainian and Russian intelligence services while probing the aftermath of the MH17 disaster, according to a report on Dutch television. Malaysia Airlines Flight 17, a scheduled passenger flight from Amsterdam to Kuala Lumpur, was shot down over eastern Ukraine on July 17, 2014. All 283 passengers and 15 crew on board, 196 of them Dutch citizens, were killed. In the aftermath of the disaster, the Dutch Safety Board spearheaded the establishment of the multinational Joint Investigation Team (JIT), which is still engaged in a criminal probe aimed at identifying, arresting and convicting the culprits behind the unprovoked attack on Flight MH17. As part of the JIT, dozens of Dutch officials traveled to Ukraine to initiate the investigation into the plane crash and repatriate victims’ bodies and belongings. Their activities were conducted with the support of the Ukrainian government, which is party to the JIT.

But on Tuesday, Holland’s RTL Niews broadcaster said that members of the Dutch JIT delegation were subjected to systematic and persistent spying by both Ukrainian and Russian government operatives. According to RTL, Dutch investigators found sophisticated eavesdropping devices in their hotel rooms in Ukraine, and believed that their electronic devices had been compromised. Citing “inside sources” from the Dutch government, the broadcaster said that, during their stay in Ukraine, members of the Dutch JIT delegation noticed that the microphones and cameras on their wireless electronic devices would turn on without being prompted. They also noticed that the devices would constantly try to connect to public WiFi networks without being prompted. Upon their return to Holland, Dutch officials had their wireless devices examined by Dutch government security experts. They were told that numerous malware were discovered on the devices.

RTL Niews said that the question of whether valuable information relating to the MH17 investigation was stolen by foreign spies remains unanswered. But it noted that the members of the Dutch JIT delegation were warned about possible espionage by foreign powers prior to traveling to Ukraine. During their stay there, they were not allowed to send messages in unencrypted format and were only permitted to hold sensitive conversations in especially designated rooms inside the Dutch embassy in Kiev. The Dutch government did not respond to questions submitted to it by RTL Niews. But it issued a statement saying that its security experts had briefed and trained the Dutch JIT delegation prior to its trip to Ukraine. Members of the delegation were told that foreign parties would seek to collect intelligence, because the MH17 investigation was taking place in a “conflict area with significant geopolitical interest” for many parties. They were therefore advised to “assume that they were being spied on [and] adjust [their] behavior accordingly” while in Ukraine, the Dutch government’s statement said.

Author: Ian Allen | Date: 28 June 2018 | Permalink