APT-29 cyber operations against government agencies of Norway and the Netherlands (2016-2017)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 2016-2017.[1]
Suspected actor Advanced Persistent Threat 29 (‘APT29’), also known as ‘Cozy Bear’. In February 2017, Rob Bertholee, the then head of the Dutch General Intelligence and Security Service (AIVD), attributed the attack on the Dutch ministries to Russia.[1] Similarly, in January 2017, Arne Christian Haugstøyl, then section chief of the Norwegian Police Security Service (PST), attributed the attacks on Norwegian entities to Russia.[2]
Target In the Netherlands, the Dutch Ministry of General Affairs was targeted, alongside other unnamed ministries.[1] In Norway, email accounts of civil servants in the Ministry of Defence and Ministry of Foreign Affairs as well as the Norwegian Labor Party and the PST were targeted.[2]
Target systems N/A
Method Spear-phishing. Both the Dutch and Norwegian targets were sent malicious emails designed to extract sensitive information.[1][3]
Purpose Whilst the precise motives of APT-29 are unknown, the group have been accused of various attacks against other democratic governments, parties and institutions across the world including in Germany, the US and South Korea.[4] Accordingly, the 2016-2017 attacks fit into a similar pattern of attempting to covertly collect political and military intelligence via cyber operations.[1]
Result The Dutch did not report that the attacks had been successful.[1] Similarly in Norway, it was also not reported that the attacks had succeeded in breaching the targeted systems.[2]
Aftermath Erna Solberg, the then Norwegian Prime Minister, described the attacks as a ‘serious attack on our democratic institutions’. A subsequent report conducted by the PST indicated that Russian cyber espionage was one of the biggest threats to Norway,[5] an assessment that was criticised by the Russian Embassy as ‘striving to achieve a return to the times of the Cold War.’[6]

In the Netherlands, the AIVD did not specify any consequences or measures to be taken following the attack,[1] though the government opted to count votes for the contemporary March 2017 general election by hand, rather than digitally.[7]

Analysed in Scenario 02: Cyber espionage against government departments

Collected by: Tom Davies