Dutch intelligence: Many cyberattacks by Russia are not yet public knowledge

Many of Russia’s cyber operations against Ukraine and NATO members during the past year have not yet become public knowledge, according to a joint report published this week by two Dutch intelligence services.

Although dozens of private sector reports have detailed Russian ops during the war in Ukraine, experts have questioned whether the cybersecurity industry has visibility into the full extent of that activity. The joint report from the Dutch General Intelligence and Security Service (AIVD), alongside its Military Intelligence and Security Service (MIVD), cites two reasons why “many of these attempts have not yet become public knowledge.”

The fact that “the pace of Russian cyber operations is fast” is a big factor, the report said. And the nature of many targeted institutions — such as military and diplomatic agencies — leads to secrecy about their vulnerabilities.

“Before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies,” says the report, which describes the full-blown invasion of Ukraine a year ago this week as “a turning point in history.”

Russia’s target selection has been “very broad” the agencies said, meaning that even Ukrainian organizations that are not playing a “direct role in the course of the war or political decision-making” are being hacked.

The joint report relays the findings of the intelligence agencies — collected through “sensitive operations using human and technical resources” — about the threat posed by the Russian state conducting cyberattacks on various institutions, physical sabotage on maritime infrastructure, and information operations.

Russian threat, Western response

The impact of “continued Russian attack attempts” in cyberspace has been “limited” thanks to Ukrainian and Western digital defenses, the joint report said, adding that Russia has “found it difficult to synchronize cyber operations with other military operations, such as airstrikes.”

The largest part of Russian cyber operations were espionage activities aimed at accessing “military, diplomatic and economic information from both Ukraine and NATO allies,” said the intelligence agencies. The targets include tactical intelligence, such as the locations of military equipment and personnel.

CIA Director William Burns recently promoted the value of such data, telling the Munich Security Conference that “providing usable intelligence” to Ukraine has been one of the most important contributions “besides weapons” that the U.S. has made to the country’s defense.

NATO members who are providing military support to Ukraine also are common targets of Russian intelligence. The joint report said that the “Dutch armed forces, ministries and embassies have also been the target of (unsuccessful) cyber espionage attempts in the past year.”

Alongside espionage operations, Russian cyber forces have repeatedly attempted to deploy "wiper" malware strains designed to destroy data in computer systems.

“Moscow regularly attempts to digitally sabotage Ukrainian vital infrastructure and carries out constant wiper malware attacks. The sustained and very high pressure that Russia exerts with this requires constant vigilance from Ukrainian and Western defenders,” said the joint report.

Despite this, “large-scale disruption has so far failed to materialize and the impact of cyber sabotage is dwarfed by the impact of physical military operations.”

“The potential of cyber operations cannot be fully exploited by Russia,” the intelligence agencies added, without providing too much of an explanation. But the report said “most Russian digital attack attempts are detected prematurely or remedied quickly, thanks to far-reaching Ukrainian monitoring, detection and response measures. Ukraine receives significant help from, for example, Western intelligence services and companies.”

The two agencies warned that the Ukrainian defense was “not guaranteed” and “can probably only be sustained as long as Western support remains as intensive and adaptive as the cyber operations of the Russian intelligence services.”

Physical sabotage threat

The Dutch infrastructure in the North Sea includes internet cables, gas pipelines and wind farms, which the intelligence agencies warned “can be vulnerable to sabotage,” the report said. Russian ships also have been covertly mapping the Netherlands’ maritime infrastructure “and undertaking activities that indicate espionage and preparatory acts for disruption and sabotage.”

For example, a Russian ship was detected at an offshore windfarm, according to the MIVD's chief, Gen. Jan Swillens. Dutch coast guard ships escorted the vessel out of the North Sea, said Swillens, who added that the Russian reconnaissance of the North Sea energy system is something the MIVD hadn't seen before.

The report did not mention the suspected sabotage of the Nord Stream 1 and Nord Stream 2 natural gas pipelines, which run through the Baltic Sea.

However the agencies added it was “conceivable” that Russia could seek to cause a similar physical threat to “other vital sectors, such as drinking water and energy supply, is also conceivable, as long as such attacks can be carried out covertly.”

Last week, ahead of the report's publication, the Dutch government announced that it was expelling Russian intelligence operatives working in the Netherlands under diplomatic cover. It is not known whether these individuals were suspected of espionage activities that could have facilitated sabotage in the future.

Information operations

Russia’s intelligence services “have succeeded several times in temporarily taking control of Ukrainian media broadcasts and broadcasting Russian messages,” said the report. “Subsequently, the systems of these media were digitally sabotaged.”

Other incidents, such as malware aimed at disrupting Ukraine’s power supply, “are probably mainly aimed at undermining Ukrainian morale” rather than achieving a military objective, the Dutch agencies said.

“To hide their involvement in covertly spreading disinformation and propaganda through digital channels, Russian intelligence services employ many techniques they also use for cyber operations,” the intelligence services warned.

They added that in the case of the information operations troops within the Russian military intelligence service (GRU), it was “even partly the same units that are responsible for both cyber operations and covert influence.”