Dutch intelligence disrupt large-scale botnet belonging to Russian spy agency

GRU KtON MARCH 3, 2022, Dutch newspaper Volkskrant reported that the Dutch Military Intelligence and Security Service (MIVD) took action in response to abuse of SOHO-grade network devices in the Netherlands. The attacks are believed to have been perpetrated by the Main Intelligence Directorate of the General Staff of the Russian Armed Forces (GRU) Unit 74455. The unit, which is also known as Sandworm or BlackEnergy, is linked to numerous instances of influence operations and sabotage around the world.

The devices had reportedly been compromised and made part of a large-scale botnet consisting of thousands of devices around the globe, which the GRU has been using to carry out digital attacks. The MIVD traced affected devices in the Netherlands and informed their owners, MIVD chief Jan Swillens told Volkskrant. The MIVD’s discovery came after American and British [pdf] services warned in late February that Russian operatives were using a formerly undisclosed kind of malware, dubbed Cyclops Blink. According to authorities, the botnet in which the compromised devices were incorporated has been active since at least June 2019.

Cyclops Blink leverages a vulnerability in WatchGuard Firebox appliances that can be exploited if the device is configured to allow unrestricted remote management. This feature is disabled by default. The malware has persistence, in that it can survive device reboots and firmware updates. The United Kingdom’s National Cyber Security Centre describes Cyclops Blink as a “highly sophisticated piece of malware”.

Some owners of affected devices in the Netherlands were asked by the MIVD to (voluntarily) hand over infected devices. They were advised to replace the router, and in a few cases given a “coupon” for an alternative router, according to the Volkskrant. The precise number of devices compromised in the Netherlands is unclear, but is reportedly in the order of dozens. Swillens said the public disclosure is aimed at raising public awareness. “The threat is sometimes closer than you think. We want to make citizens aware of this. Consumer and SOHO devices, used by the grocery around the corner, so to speak, are leveraged by foreign state actors”, he added.

The disclosure can also be said to fit in the strategy of public attribution that was first mentioned in the Netherlands’ Defense Cyber Strategy of 2018. Published shortly after the disclosure of the disruption by MIVD of an attempted GRU attack against the computer network of the OPCW, the new strategy included the development of attribution capabilities, as well as the development of offensive capabilities in support of attribution. It advocates the view that state actors “that are [publicly] held accountable for their actions will make a different assessment than attackers who can operate in complete anonymity”.

Author: Matthijs Koot | Date: 07 March 2022 | Permalink

Western spy agencies thwarted alleged Russian plot to hack Swiss chemical lab

OPCW HagueWestern intelligence agencies thwarted a plot involving two Russians intending to travel to a Swiss government laboratory that investigates nuclear, biological and chemical weapons, and hack its computer systems. According to two separate reports by Dutch newspaper NRC Handelsblad and Swiss newspaper Tages-Anzeiger, the two were apprehended in The Hague in early 2018. The reports also said that the Russians were found in possession of equipment that could be used to compromise computer networks. They are believed to work for the Main Intelligence Directorate, known as GRU, Russia’s foremost military intelligence agency. The apprehension was the result of cooperation between various European intelligence services, reportedly including the Dutch Military Intelligence and Security Organization (MIVD).

The laboratory, located in the western Swiss city of Spiez, has been commissioned by the Netherlands-based Organization for the Prohibition of Chemical Weapons (OPCW) to carry out investigations related to the poisoning of Russian double agent Sergei Skripal and his daughter Yulia in March of this year. It has also carried out probes on the alleged use of chemical weapons by the Russian-backed government of President Bashar al-Assad in Syria. In the case of the Skripals, the laboratory said it was able to duplicate findings made earlier by a British laboratory.

Switzerland’s Federal Intelligence Service (NDB) reportedly confirmed the arrest and subsequent expulsion of the two Russians. The Swiss agency said it “cooperated actively with Dutch and British partners” and thus “contributed to preventing illegal actions against a sensitive Swiss infrastructure”. The office of the Public Prosecutor in the Swiss capital Bern said that the two Russians had been the subject of a criminal investigation that began as early as March 2017. They were allegedly suspected of hacking the computer network of the regional office of the World Anti-Doping Agency in Lausanne. The Spiez laboratory was a target of hacking attempts earlier this year, according to a laboratory spokesperson. “We defended ourselves against that. No data was lost”, the spokesperson stated.

On April 14, Russian Minister of Foreign Affairs Sergei Lavrov stated that he had obtained the confidential Spiez lab report about the Skripal case “from a confidential source”. That report confirmed earlier findings made by a British laboratory. But the OPCW, of which Russia is a member, states that its protocols do not involve dissemination of scientific reports to OPCW member states. Hence, the question is how Foreign Minister Lavrov got hold of the document.

As intelNews reported in March, in the aftermath of the Skripals’ poisoning the Dutch government expelled two employees of the Russian embassy in The Hague. In a letter [.pdf] sent to the Dutch parliament on March 26 —the day when a large number of countries announced punitive measures against Russia— Holland’s foreign and internal affairs ministers stated that they had decided to expel the two Russian diplomats “in close consultation with allies and partners”. The Russians were ordered to leave the Netherlands within two weeks. It is unknown whether the two expelled Russian diplomats are the same two who were apprehended in The Hague, since none have been publicly named.

A November 2017 parliamentary letter from Dutch minister of internal affairs Kajsa Ollongren, states[4] that Russian intelligence officers are “structurally present” in the Netherlands in various sectors of society to covertly collect intelligence. The letter added that, in addition to traditional human intelligence (HUMINT) methods, Russia deploys digital means to influence decision-making processes and public opinion in Holland.

Author: Matthijs Koot | Date: 17 September 2018 | Permalink

Analysis: New Dutch spy bill proposes changes in approval, oversight

AIVD HollandOn July 2, 2015, the Dutch government released for public consultation a long-awaited bill that overhauls the Dutch Intelligence and Security Act of 2002. Known also as Wiv2002, the Act is the legal framework for the operations of the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD). The bill is a complete rewrite of the present law, and includes expansions of power, as well as changes to the approval regime and oversight. The below provides a brief overview focused on the interception and hacking powers.

The services’ special powers, such as interception and hacking, can only be used for a subset of their legal tasks. That subset includes national security,
foreign intelligence and military intelligence. The government annually determines the intelligence needs of itself and other intelligence consumers; the outcome is used to focus and prioritize strategic and operational plans and activities.

The services have and hold a specific interception power, i.e., interception of communication of a specified person, organization and/or technical characteristic (e.g. IMEI, phone number, IP address, email address). This requires approval from the minister in charge. The services also have and hold a non-specific interception power —i.e., ‘bulk’ interception— but the bill expands that power from ether-only to “any form of telecommunications or data transfer”, thus including cable networks. Furthermore, the bill no longer limits the non-specific power to communication that has a foreign source and/or foreign destination, meaning that domestic communication is in scope. Like the specific power, the non-specific power requires approval from the minister in charge. The services can retain raw bulk intercepts not just for one year, as is presently the case, but for three years. Encrypted raw intercepts can be stored indefinitely, as is presently the case; the three year retention period is triggered when bulk-intercepted encrypted data is decrypted.

Certain categories of “providers of communication services” will be required, in consultation with the services, to provide access to their networks, if so requested by the services on the basis of approval from the minister. Those categories will be determined by governmental decree. The term “provider of a communication service” is derived from the term “service provider” in the Budapest Convention on Cybercrime of 2001, and is defined so as to include public telecommunication networks, non-public telecommunications networks, hosting providers and website operators. The services have and hold the right to, under certain conditions and after approval from the Minister, compel “anyone” to decrypt data or hand over keys. The approval request for that must include an indication of the conversations, telecommunications or data transfers that are targeted.

Read more of this post

Former spy sues Dutch state for ‘abandoning’ him in Afghanistan

MIVDBy JOSEPH FITSANAKIS | intelNews.org
A former agent for Holland’s military intelligence agency has sued the Dutch state, alleging that it abandoned him in Afghanistan, after he had spent years providing support services to Dutch operatives there. Dutch newspaper De Telegraaf reported last week that the former agent, identified only as I.A., is a former police officer who relocated to Afghanistan while working for a Western contractor. He then stayed on in the Afghan capital Kabul, where he imported and sold cars. According to I.A., he was eventually approached by Holland’s Military Intelligence and Security Service (MIVD) and secretly hired as an agent.

Dutch researcher Dr. Matthijs Koot, who translated De Telegraaf’s article into English, reports that I.A. claims he was tasked by the MIVD to acquire local cars with forged license plates, as well as provide forged travel documentation, for Dutch Special Forces in Afghanistan. He also says he supplied Dutch intelligence officers with weapons that “fit what was usually seen on the streets” of Kabul, thus helping them blend in with the local population.

According to De Teelgraaf, I.A. is now suing the Dutch government, alleging that the MIVD “left him to his fate” in Afghanistan, a move that allegedly cost him extensive financial damage. He wants the MIVD to acknowledge that he worked for them and furthermore that he should not have been abruptly fired when his services were no longer needed. According to the paper, I.A. threatened to release to the media details of his work for MIVD, including recorded conversations with MIVD officers. This prompted the agency to give him €500,000 ($700,000) in an attempt to unofficially settle his case. This was allegedly confirmed in a court in The Hague by Marc Gazenbeek, legal affairs director for the Dutch Ministry of Defense. However, I.A. claims the money he was given is insufficient and is suing for millions in damages. The Telegraaf says that Pieter Cobelens, who was director of MIVD at the time of I.A.’s employment, denies he was aware of his employment as a spy. The case continues.

News you may have missed #486

  • Hundreds of US officials to leave Pakistan in Davis deal [unconfirmed]. Pakistani newspaper The Express Tribune claims that 331 US officials in Pakistan have been identified by Islamabad as spies and are “to leave the country”, under a secret deal between Pakistan and the United States. The alleged deal was reportedly struck between the two sides as part of the release of Raymond Davis, a CIA operative who shot dead two people in Lahore.
  • Australian government unveils new spy legislation. The Intelligence Services Legislation Amendment Bill, which has been unveiled by the Australian government, contains changes to the intelligence services and criminal code legislation designed to “improve the operational capabilities of key spy agencies“, according to the country’s Attorney-General.
  • Dutch military intelligence: closed on Sundays. A Dutch government-commissioned report has revealed that the country’s military intelligence service, the MIVD, played no role in the decision, earlier this month, to attempt an evacuation operation by helicopter near the Libyan city of Sirte. The reason is because the evacuation took place on a Sunday, and requests for intelligence went unnoticed at MIVD headquarters.
%d bloggers like this: