According to a report in the Dutch newspaper de Volkskrant, the General Intelligence and Security Service of the Netherlands (AIVD)—the Netherlands' domestic intelligence service—had hacked into the network of a building at a Russian university in Moscow some time in the summer of 2014. The building housed a group running a hacking campaign now known as "Cozy Bear," one of the "threat groups" that would later target the Democratic National Committee.

AIVD's intrusion into the network gave them access to computers used by the group behind Cozy Bear and to the closed-circuit television cameras that watched over them, allowing them to literally witness everything that took place in the building near Red Square, according to the report. Access to the video cameras in a hallway outside the space where the Russian hacking team worked allowed the AIVD to get images of every person who entered the room and match them against known Russian intelligence agents and officials.

Based on the images, analysts at AIVD later determined that the group working in the room was operated by Russia’s Foreign Intelligence Service (SVR). An information and technology sharing arrangement with the National Security Agency and other US intelligence agencies resulted in the determination that Cozy Bear’s efforts were at least in part being driven by the Russian Federation’s leadership—including Russian President Vladimir Putin.

The data collected by AIVD began to pay off in November of 2014, when the agency alerted US intelligence officials that the Cozy Bear group had obtained login credentials and email from US State Department employees. enabling the National Security Agency, the Federal Bureau of Investigations, and the State Department to shut down the attack within 24 hours. A later attack on the White House was also picked up by the AIVD analysts, de Volkskrant’s Huib Modderkolk reported.

In a speech at the Aspen Forum in March of 2017, NSA Deputy Director Robert Ledgett described the effort to defend the State Department as “hand-to-hand combat,” acknowledging that information on the attack had come from a then-unnamed ally. At that time, unnamed current and former intelligence officials had indicated to The Washington Post that said ally had gained access to both the hackers' computers and the surveillance cameras inside their workspace.

AIVD’s penetration into the Cozy Bear network lasted for more than a year. The information gathered during the surveillance, Modderkolk’s sources suggested, was key to the US intelligence agencies’ attribution of the DNC breach to Russia. And the leaks that have followed, as well as the Trump administration’s recalcitrance in accepting the attribution, have made the Dutch intelligence community a “lot more cautious when it comes to sharing intelligence,” Modderkolk wrote.