(Bloomberg View) — For the first time in a year, significant new information has emerged linking the 2016 U.S. Democratic National Committee security breach to Russia. A newspaper in the Netherlands reports that U.S. authorities received evidence of the hack from the Dutch intelligence service, which had penetrated the Russian hackers. The report partly explains the U.S. intelligence community’s certainty about what happened to the DNC and its reluctance to tell the public more. But it also raises new questions.

The story in the daily De Volkskrant is based on anonymous sources, as are almost all other substantial reports about Russian interference in the U.S. presidential election. But it provides enough exciting detail to be a major addition to what’s publicly available. According to the paper, hackers from AIVD, the Dutch General Intelligence and Security Service, penetrated the network of the Russian hacker group known as Cozy Bear in the summer of 2014.



According to the Dutch story, Cozy Bear, or, to use its generic designation in the cybersecurity community, Advanced Persistent Threat 29, worked from «a space in a university building near the Red Square.» That would fit the description of Moscow State University’s historic campus across from Red Square, occupied today by some of its humanities departments and the Institute of Asian and African Countries, which has traditionally sent large numbers of its graduates to the SVR, the Russian foreign intelligence service.



The Dutch hackers, reportedly, didn’t just watch everything Cozy Bear — a fluid group in which about 10 people were active at any given time — was doing on its computers. They also took over the security camera that recorded all the comings and goings at the group’s space. Dutch intelligence matched the faces of visitors against a database of known Russian agents and linked the group to the SVR. Crowdstrike, the cybersecurity firm retained by the DNC, hinted in its analysis of the breach that Cozy Bear could have been run by either SVR or the FSB, Russia’s domestic intelligence service, so the Dutch report clarifies the attribution.



news The Hacker Hunters Chasing Russian Shadows Read more

In November 2014, the Dutch reportedly alerted the U.S. intelligence community that Cozy Bear was attacking the State Department, and helped the National Security Agency thwart the sustained attack. The Volkskrant story also claims that, a year after it first penetrated APT Cozy Bear in the summer of 2015, the Dutch intelligence service witnessed how the Russian hackers launched «an attack on the Democratic Party in the United States.»



U.S. colleagues sent cake and flowers to AIVD headquarters in Zoetermeer in appreciation. But after leaks in U.S. media that a «Western ally» had helped uncover Russian interference in the election, the Dutch became worried that their methods would be disclosed, and they’ve since scaled down their cooperation with U.S. intelligence services, fearing further leaks. The AIVD hackers are no longer in the Cozy Bear network, and the story says their ability to track the Russian group lasted between a year and 2.5 years.



If the story is correct, it explains why the U.S. intelligence community’s assessment of Russian interference provided scant evidence. If the information came from AIVD, the secrets weren’t the Americans’ to disclose. It also explains why the Federal Bureau of Investigation, by its own admission, never examined the DNC servers that had been penetrated, seemingly relying on data from Crowdstrike. If it had all the technical evidence from the Dutch, it may not have needed to look at the servers.

