How Dutch Spies Were Able To Outwit Russian Hackers

Online spies outfoxed the notorious Russian hacking group and fed information about their attacks on U.S. federal systems to American authorities.

How Dutch Spies Were Able To Outwit Russian Hackers
Illustrations: spainter_vfx/iStock; pavalena/iStock]

Since at least 2010, the Russian state-sponsored hacking group Cozy Bear has been implicated in cyber attacks around the world, penetrating networks belonging to the U.S. State Department, the Joint Chiefs of Staff, and the Democratic National Committee, and targeting other systems around the world from Norway to Brazil.


Their targets have often seemingly struggled to keep up with the attacks–the Pentagon in 2015 reportedly took thousands of unclassified email accounts offline for at least 10 days to recover from a hack by the group, and Cozy Bear is said to have had access to DNC systems for about a year before being discovered.

But recent reports reveal that the Russian group, believed to be tied to the Russian FSB–an intelligence bureau seen as today’s successor to the Soviet-era KGB–was itself the victim of a startlingly successful hack, carried out by a much smaller nation.

According to a report in de Volkrsrant, a highly regarded daily paper in the Netherlands, Dutch intelligence hackers had gained access to Cozy Bear’s computers in 2014 and remained there for between one and two-and-a-half years. The hackers were reportedly even able to monitor Cozy Bear team members’ comings and goings through a compromised security camera, comparing their images to those of already known Russian spies.

The Netherlands team was significantly ahead of its U.S. counterparts, feeding information to the Federal Bureau of Investigation and National Security Agency that helped them cut off Russian servers communicating with malware embedded in State Department machines, per de Volksrant,  Russian intelligence agencies have declined to comment on the report.

Small Country, Big Brains

But how did a nation with a population just an eighth the size of Russia manage to get the upper hand on the Putin regime’s notoriously successful cyberspy outfit?

Experts say the victory was due to a significant, long-term Dutch investment in cybersecurity and digital intelligence operations–and another sign of how hacking capabilities can help disrupt the traditional balance of power between nations.


“If you want to start a kinetic war, you need to have huge resources–contrary, cyber war requires much, much, much less resources–simply, it requires knowledge,” says Lech Jan Janczewski, an associate professor at the University of Auckland who has written about small states and cyberwarfare. “This means that a small country can do enormous damage to even the most powerful country.”

And the Netherlands has invested in developing that knowledge since at least the early 2000s. It’s built a joint military-civilian cyber-intelligence team that today has a staff of between 300 and 400, “which for a small country like the Netherlands is quite big,” says Sico van der Meer, a research fellow at Clingendael, the Netherlands Institute of International Relations.

The country in general has been proactive on computer security, and was an early adopter of public-private partnerships to secure important systems and of ethical disclosure rules that promote hackers investigating and helping to fix vulnerable networks. Dutch officials in 2013 compared the country’s cybersecurity strategy to the low-lying country’s decades-long efforts to manage flooding and hold back the sea.

“The strategy tried to harness that same sense of responsibility toward water management for use with cyber security by advocating that every citizen has a responsibility to ensure the resilience of the country by preventing and containing threats between cyber security, economic and social growth, and freedom and privacy,” according to a report from the Potomac Institute for Policy Studies.

And the Netherlands has had plenty of reason to focus its cyber resources on Russia, even besides Russia’s global pattern of digital attacks. Shortly before the Dutch hackers are said to have gained access to Russian systems, the Netherlands was involved in a diplomatic dispute with Russia over the Arctic Sunrise, a Dutch-flagged Greenpeace ship that had been seized by Russian forces while protesting oil exploration in the Arctic. And in late 2013, a Russian diplomat in the Netherlands had briefly been detained for alleged child abuse, triggering an outraged response from the Kremlin and an ultimate apology from the Netherlands. Days after his detention, a senior Dutch diplomat was also attacked in his Moscow residence by unknown assailants.

And by the time of the hack on the State Department and the Netherlands’ reported aid to Washington in repelling the attack, relations were further strained by the July 2014 downing of Malaysia Airlines Flight 17. The flight from Amsterdam to Kuala Lumpur was carrying a number of Dutch nationals and is widely believed to have been shot down by pro-Russian separatists in Ukraine. The Russian opposition newspaper Novaya Gazeta ran a front-page apology to the Netherlands in Dutch, but Russian state media responded by promoting a variety of conspiracy theories about the crash. Russia was later accused of attempting to hack into systems used by Dutch safety investigators and independent journalists looking into the crash.


The Chances of Making A Mistake Were “Pretty Great”

To some extent, the broad scope of Russia’s alleged digital aggression may also have made it a more vulnerable target to the Dutch hackers. The sheer scale of the Russian hacking efforts likely provided more potential points for rivals to enter their systems, says John Hultquist, director of intelligence analysis at security firm FireEye.

“These were very large scale operations,” he says. “The opportunities, the chances of making a mistake or failing to clean up after themselves is pretty great.”

But one still unanswered question is how details of the Dutch operation came to be leaked. Washington sources had previously revealed to the media that the Russian attacks were thwarted with the help of a Western ally, itself an unusual revelation in intelligence circles and one that de Volksrant reported likely angered Dutch officials, potentially leading to less information sharing in the future.

Some in the Netherlands have theorized that someone in the Dutch intelligence services may have leaked further details of the hack to bolster public support for their agencies, especially in an advance of a controversial referendum scheduled for next month that would boost their spying power.

“This is clearly a success—if you’re able to believe what has been communicated in the media coverage, of course,” says van der Meer.

About the author

Steven Melendez is an independent journalist living in New Orleans.