cozy bear

The Dutch were spying on Cozy Bear Hackers as they targeted Democrats

Dutch intelligence is claiming to have observed Russian state-sponsored hackers known as Cozy Bear attacking Democratic Party organizations in the U.S. beginning in 2014. 

A shocking report from a Dutch website, de Volkskrant, claims that hackers from that country’s intelligence community penetrated the network of a building used by Russia’s “Cozy Bear” hacking group and observed them targeting Democratic party officials starting in the summer of 2015.

Agents from the Dutch AIVD witnessed Russian hackers “harassing and penetrating the leaders of the Democratic Party” in 2015 and 2016 and “transferring thousands of emails and documents,” de Volkskrant claims. The report cites sources in both Netherlands and the U.S.

The report claims AIVD officials alerted their American counterparts about the Russian operations and may have been a key piece of evidence supporting the U.S. intelligence community’s report, shortly after the election of President Donald Trump, that it had “high confidence” that the Kremlin was behind the hack of the Democratic Party.

[You might also like: “Emboldened, Fancy Bear Hackers Target French, German Elections.”]

According to the report, the Dutch operation was targeted at a building used by the Cozy Bear hacking group. Also known as APT-29, Cozy Bear is one of the most prolific nation-stated hacking crews affiliated with the Russian government. It has carried out attacks against governments around the world.

cozy bear
A Dutch publication says that hackers from that country’s intelligence services infiltrated a building used by Russia’s Cozy Bear hacking group and observed state hackers attacking Democratic Party organizations in the U.S. (Image courtesy of CrowdStrike.)

A targeted hack pays off

Dutch hackers working for AIVD were able to penetrate the office building near the Kremlin in Moscow that the group uses to conduct its offensive cyber operations, even compromising a security camera that monitored those entering and leaving the building. According to the de Volkskrant report, the Dutch hackers were able to use their vantage point to give valuable intelligence to U.S. officials ahead of a November, 2014 Russian cyber attack on the U.S. State Department – intelligence that allowed the FBI and NSA to counter the attack. That attack followed the compromise of civil servant accounts that provided usernames and passwords needed to access the State Department network.

The Dutch also provided information about a subsequent compromise of the Obama White House, which included a compromise of White House systems that provided e-mail traffic with embassies and diplomats, agendas, notes on policy and legislation, though not classified information.

Cozy Bear: hackers with a history

The security firm CrowdStrike, which tracks and catalogues so-called “advanced persistent threat” (or APT) groups notes that the Cozy Bear goes by many names including “Office Monkeys, CozyCar, and CozyDuke.” The company said that the hacking group is different from other nation-state hacking groups because it “tends to cast a wide net, sending out thousands of phishing emails to a broad set of targets,” rather than carrying out focused operations against a small set of targets.

CrowdStrike was hired by the Presidential Campaign of Hillary Clinton as well as the Democratic National Committee in late 2016 after reports that Russian hackers had penetrated those organizations. In a subsequent report, it identified two different Russia-linked groups at work on the networks of the campaign and the DNC: Cozy Bear and a separate group known as Fancy Bear, with the Cozy Bear intrusion of the DNC dating to the “summer of 2015,” a timeline that lines up with the AIVD report.

The two groups appeared unaware of each other’s presence, even compromising identical systems on the DNC network and pilfering identical documents. CrowdStrike said that was an indication of the decentralized and entrepreneurial nature of Russian state hacking under Putin.