Chief of Police Janny Knol informed all police employees today via email about these new developments. ‘Although this news does not come as a surprise to everyone, it can naturally affect your sense of security,’ she states. ‘Of course, we pay attention to that.’ The police have therefore set up a service point again where employees can go with concerns and questions. The chief thanked everyone who contributed to the investigation: ‘You delivered a remarkable piece of work.’
Impact
During the hack on the police, the Global Address List was compromised. It contained the work-related contact details of police employees and some chain partners. ‘The impact of this on our organization and colleagues was significant,’ says Stan Duijf, head of Operations at the National Investigation and Interventions Unit (LO), and responsible for cybercrime at the police. Substantial additional security measures were immediately taken in silence. At the same time, the High Tech Crime Team (THTC) initiated an investigation into the perpetrators. The outcomes support the information published today by the intelligence services. It shows that the hacker group – which the services named ‘LAUNDRY BEAR’ – conducted cyberattacks on companies and organizations in over forty Western countries. Many victims were made in a fairly generic manner. ‘The police was one of the many affected organizations by this hacker group,’ says Duijf.
Disrupting
‘Although the group behind the hack has been identified, we currently have insufficient means to proceed to successful prosecution of concrete suspects,’ says John Lucas, chief public prosecutor, National Office. However, the LO blocked part of the criminal infrastructure earlier this week. ‘We have gained insight into the methods of these criminals from the investigation. We have also made part of the infrastructure inaccessible by blocking accounts of the services they use,’ explains Duijf. ‘When it comes to cyber operations, we work with partners to sustainably disrupt the entire ecosystem of cybercriminal services that facilitate these types of criminals.’ As recently seen in Operation Endgame.
Infostealer malware
During the hack on the police, a so-called ‘pass-the-cookie attack’ was used. A pass-the-cookie attack allows the attacker to take over an active session of an account with the corresponding rights. For such an attack, an access token is needed that is obtained via malware. The access token used to successfully log into a police account during the hack was obtained by so-called infostealer malware. Infostealer malware is developed and distributed on a large scale by cybercriminals, and the obtained data is frequently sold for various criminal purposes such as ransomware, stealing cryptocurrency, and data exfiltration.
Joint Matter
In the investigation into the circumstances and perpetrators behind the data theft, the THTC collaborated with the Information Provision Service (IV) and regional units. Not only within the police but also outside, several parties were involved in the investigation into the data theft,’ says Duijf. ‘Such as public and private partners and law enforcement agencies from abroad. We are pleased with this assistance and collaboration. The AIVD and MIVD identified the incident at the time and informed the police about it so that we could take measures. Regarding digital security, the AIVD supports us in the field of information security. Combating cyberattacks is inherently a complex whole with actors at different levels, according to Duijf. ‘The internet is a complex network where national borders do not matter. This makes the investigation of cybercrime facts almost always a joint and international matter.’
Stay Alert
It is important for organizations to properly (continue to) arm themselves against such cyberattacks and this form of espionage. Compromised data from victims can also be used to carry out follow-up attacks. Therefore, it is important to be alert and stay alert. ‘We must all be aware of our digital vulnerability. That is part of today’s reality,’ explains Duijf. ‘We simply cannot completely close “the door,” but we can try to arm ourselves as best as possible against cyberattacks. The information now released by the intelligence services helps us and other organizations increase that resilience.’
Resilience
Being a victim of a cyberattack is unfortunately no longer an exceptional situation, Duijf states. ‘Many people and organizations are dealing with this. According to the AIVD, the Netherlands is continuously confronted with cyberattacks from countries with an offensive cyber program. We need to arm ourselves even better against this.’
Read here the tips from the National Cyber Security Centre (NCSC):