third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
magnitude of digital espionage incidents, the number of incidents<br />
in the <strong>Netherlands</strong> is suspected to be significantly higher.<br />
China<br />
Globally various large-scale attacks targeted among other things<br />
at governments institutions, dissident organisations, NGOs,<br />
knowledge institutions and companies in a range of sectors have<br />
been recognised. There are indications that in China, various actors<br />
such as the army, hackers’ groups, educational institutions, plus<br />
intelligence and security services are related to these attacks. The<br />
aim of these attacks is to obtain relevant military and economic<br />
information. Last year, various attacks on companies, dissident<br />
organisations, government and knowledge institutions were<br />
confirmed in the <strong>Netherlands</strong>, with characteristics all pointing<br />
to a Chinese actor.<br />
The AIVD is investigating a large-scale digital attack against a sector<br />
that develops sophisticated technological applications for economic<br />
and military purposes. Companies in this sector in Europe,<br />
America and Asia have been the target of this attack. At various<br />
companies in different countries the attacker successfully gained<br />
access to a business network. These business networks were<br />
examined for a long time without anyone noticing and the attacker<br />
was able to get hold of large volumes of highly specialist confidential<br />
information.<br />
In addition to companies, Dutch public authorities, NGOs based<br />
in the <strong>Netherlands</strong> and inter-governmental organisations have also<br />
been the target of digital attacks originating from China. Research<br />
by the AIVD into a large-scale international digital attack targeted<br />
at various inter-governmental organisations revealed that these<br />
attacks were carried out by sending e-mails with malware to<br />
employees of these organisations. To increase the chance of the<br />
e-mails being opened by the person they were addressed to, they<br />
were sent from fake e-mail addresses that looked like addresses<br />
from trusted (government) institutions connected to the organisations<br />
concerned. The subject and attachments to these e-mails<br />
appeared authentic and related to the employees’ concerned<br />
current topics and activities.<br />
Although there is no conclusive evidence for this, the scope,<br />
duration, choice of target and professional set up of the above<br />
attacks suggest an attack initiated or sponsored by a government.<br />
Given the use of Chinese domain names and IP addresses and<br />
the Chinese time and language settings found in the malware it<br />
is probable that the attacker originates from China or wants to<br />
suggest this.<br />
The AIVD and MIVD currently estimate China to have large cyber<br />
capacity. Although actors from China often use relatively simple<br />
digital espionage methods, the attacks on the aforementioned<br />
(Dutch) targets were on such a large scale, structured and tenacious<br />
in nature that there is now a permanent high risk. Chinese actors<br />
also use the Dutch IT infrastructure for digital espionage on other<br />
countries. Given the increase in the number of Chinese actors<br />
linked to digital espionage attacks and the increase in the number<br />
of Chinese actors involved in these attacks, this threat is increasing.<br />
Russia<br />
The digital intelligence activities on the part of actors that may be<br />
connected to Russia are directed at public authorities (in particular<br />
the ministries of Defence and Foreign Affairs), international<br />
organisations (in particular NATO), defence companies, banking,<br />
the energy sector and Russian dissidents. In the past year, digital<br />
attacks on foreign public authorities were blamed in particular on<br />
Russian actors. The AIVD has also established that the <strong>Netherlands</strong><br />
was the target of digital attacks for which Russia can be attributed.<br />
The AIVD and MIVD currently estimate Russia to have large cyber<br />
capacity. The attacks identified were carried out professionally using<br />
unique and sophisticated malware, making them difficult to detect.<br />
The data stolen with this malware indicates a motive for the<br />
espionage. Given the choice of target and the sophisticated set up<br />
of these attacks, it is likely that the Russians authorities are involved<br />
in these attacks. The Russian digital intelligence activities pose<br />
a realistic threat to the <strong>Netherlands</strong>.<br />
Iran<br />
The cyber activities on the part of the Iranian government are targeted<br />
primarily at digital control and intelligence gathering from their<br />
own citizens. The Iranian government has domestic internet traffic<br />
under virtually full control, with the prime focus being on opponents<br />
to the regime.<br />
AIVD research has revealed that in recent years Iran has focused<br />
more heavily on disruptive cyber activities targeted at countries<br />
abroad. One example that can probably be attributed to Iran are<br />
the attacks using Mahdi malware in mid-2012. This virus was spread<br />
through e-mails with infected attachments. Despite the fact that<br />
the attachments gave a virus warning by anti-virus software, a few<br />
hundred people worldwide still opened the file. The Mahdi malware<br />
appears to have a dual aim: to spy on individuals, companies and<br />
organisations in Iran itself and outside of Iran (in particular Israel).<br />
Given the small number of infections in the <strong>Netherlands</strong> it is<br />
unlikely that the <strong>Netherlands</strong> was a specific target of this malware.<br />
Considering the choice of target, the Iranian government is<br />
probably involved in some way in this attack.<br />
Furthermore, a high number of defacements and DDoS attacks on<br />
websites of domestic and foreign opponents to the Iranian regime<br />
originate from Iran and the assessment is that these are carried out<br />
with the Iranian’s government’s knowledge. One example of this is<br />
a defacement attack at the beginning of 2012 on various Azerbaijani<br />
government websites, which also involved abuse of the Dutch IT<br />
infrastructure. The hackers placed inflammatory and religiously<br />
tinted images and text on the home pages of these websites opposing<br />
the alleged close ties between Israel and the current Azerbaijani<br />
government. The hackers also called for the start of an ‘Arab Spring’<br />
in Azerbaijan. There are indications that Iranian hackers were<br />
involved in carrying out this attack.<br />
60