Most Remarkable APT Incidents That Targeted Netherlands in 2021

The Netherlands is regarded as the technological gateway to Europe. The internet economy in the Netherlands, which currently accounts for more than six percent of the country’s GDP, is expected to continue to grow in the following years. Also, approximately all households have a broadband connection.

Amsterdam province is home to about a third of Europe’s data centers. The Netherlands houses one of the most extensive internet exchanges globally, the AMS-IX (Amsterdam Internet Exchange). Many gigantic digital companies have preferred to base their European operations in the Netherlands.

Therefore, digital espionage, cybercrime, and the disruption of online services are significant troubles for Dutch organizations and the Netherlands. There has been an increase in recent years, especially in state-sponsored attacks. Here, SOCRadar overviews these incidents in the country for 2021.

1- The Infy APT Attack: Iranian APT campaign targeting various countries, including the Netherlands, since April 2020

Infy APT usually uses malware called Tonnerre and Foudre.

The Infy APT is a sophisticated threat group linked to Iran. It has been active since 2007. There are significant signs that Infy appears to be attributed to Iranian telecommunications corporations and Infy’s primary targets are politicians and ministries around Iran.

Infy mainly uses two data stealer malware on Windows: “Tonnerre and Foudre.” Earlier versions of Foudre let the victim open a link that looks like a video. Instead, the new version of Foudre will execute a macro after the victim closes the file. Then an infection chain starts:

The phishing file includes malware-macro drops and runs a self-extracting archive with Foudre elements.
Foudre communicates to the HTTP server, validates it, and downloads the self-extracting archive operating Tonnerre malware.
Tonnerre utilizes a C&C connection, HTTP for the updates, and File Transfer Protocol (FTP) for data exfiltration.

The Infy APT operated Persian macro-embedded files referencing Iranian politicians in this attack. In targeted attacks, the victims are from numerous countries, and there were four victims from the Netherlands.

2- Russia-linked APT29 and APT28 posing a threat to the Netherlands

Russia-linked APT28 and APT29, aka Fancy Bear and Strontium.

Dutch intelligence service, the General Intelligence and Security Service (AIVD), in late-2014, published a report that Russia-attributed hacker groups’ activities pose a severe threat to the Netherlands. After seven years, now it’s known by the Dutch Police that Russia-linked hackers breached the internal network of the Police Department in 2017 during the long-lasted investigation into the Malaysian Airline-17 crash.

The threat actors manipulated a flaw in an “exotic software” to compromise a server of the Dutch Police Academy. Then they moved laterally to reach different systems in the prime Dutch police network. The Dutch secret service AIVD disclosed the intrusion, and the government professionals found that a Dutch police IP address was connecting to servers utilized by Russia-linked APT.

According to the Volkskrant, the Dutch newspaper that first published the incident in June 2021, APT29 (aka Cozy Bear) completed the attack. APT29 and the APT28 (aka Fancy Bear and Strontium) cyberespionage group were involved in the Democratic National Committee attack and the wave of hacks targeting the 2016 elections in the US.

APT28 has been active since at least 2007, and it has targeted governments and security organizations over the world.

Conclusion

Cooperation between countries and organizations is essential for effective solutions against APT groups.

In summary, throughout 2021, various Dutch agencies have repeatedly cautioned against the threat of Chinese and Russian-linked APT attacks on the Netherlands, requesting more budget and cooperation to respond. AVID, MIVD (Dutch Military Intelligence and Security Service), and NCTV (Dutch National Security and Counter-Terrorism Coordinator) stated that they encounter these attacks every day.

The institutions issue a joint warning to FD, saying they demand better communication and cooperation between the two countries.