Russian hackers breached Dutch police systems during MH17 probe

The hack was uncovered after the Dutch intelligence service noticed a police IP address communicating with malicious servers

Russia-linked cyber actors breached the computer systems of the Dutch national police in 2017 when the authorities were conducting an investigation into the downing of Malaysian Airlines Flight 17 (MH-17).

The Dutch newspaper De Volkskrant first reported the news last week, revealing that the breach was discovered by the Dutch General Intelligence and Security Service (AIVD), which alerted the police about the intrusion.

Neither the national police nor the AIVD have acknowledged the breach so far, although Volkskrant said it managed to confirm the incident through multiple anonymous sources.

MH17 was on its way from Amsterdam to Kuala Lumpur on 17^th July 2014, when it was shot down above the Ukraine by a surface-to-air missile. All 298 people on board, 196 of them Dutch, were killed as a result of the crash.

When MH17 was shot down, a revolt of pro-Russian militants, backed by Russia, was ongoing in eastern Ukraine.

Russian government denied any involvement in MH17 incident, while separatists and the Ukrainian military also denied responsibility for the incident.

On 5th July, 2017, the Netherlands, Malaysia, Australia, Belgium and Ukraine announced that they were setting up a Joint Investigation Team (JIT) to probe the downing of plane.

According to Volkskrant, the attack targeting Dutch police systems was traced back to September 2017, in which hackers exploited a security vulnerability to breach a server belonging to the Dutch Police Academy.

Following the initial intrusion, the hackers made lateral movements to gain access to other systems on the main police network.

The breach was uncovered after AIVD noticed a Dutch police IP address communicating with malicious servers operating by Russian APT groups.

Some sources told the news outlet that the attack was likely carried out by Russian APT29 group, also known as Cozy Bear, after getting commands from the Russian Foreign Intelligence Service (SVR). APT 29 came to light in 2016 as the main suspect behind the notorious breach of Democratic National Committee during the run-up to the 2016 US presidential election.

Some sources also told Volkskrant that the attack was likely executed by threat group APT28 (Fancy Bear), with instructions coming from Main Directorate of the Russian Armed Forces' General Staff (GRU).

AIVD investigation also revealed that Russian attackers targeting the Dutch police and other agencies, including public prosecution service, through phishing emails, as well as direct cyber attacks on police computer systems.

In one incident, a Russian hacker also drove a car with hacking equipment near the public prosecution office in Rotterdam.

Due to a lack of monitoring/logging capabilities, the AIVD and the Dutch police have very little knowledge about what the hackers did inside the police network or what information they were able to steal from the systems.