Dutch General Intelligence & Security Service (AIVD) disrupts activities of Russian intelligence officer targeting the International Criminal Court

On June 16, the Dutch General Intelligence & Security Service (AIVD) announced that they prevented a Russian military intelligence officer from gaining access as an intern to the International Criminal Court (ICC) in The Hague. The ICC is of interest to the GRU because it investigates possible war crimes committed by Russia in Georgia (2008) and Ukraine.

The GRU officer traveled from Brazil to the Netherlands in April 2022 using a cover identity, making him a so-called “illegal”. He planned to start an internship with the ICC, which would have given him access to the ICC’s building and systems. This would have enabled the GRU to collect intelligence, spot and recruit sources, and possibly influence criminal proceedings.

On his arrival at Schiphol Airport, the AIVD informed the Immigration & Naturalization Service (IND), after which the officer was refused entry to the Netherlands and put on the first plane back to Brazil as persona non grata.

The AIVD assessed the officer as a “potentially very serious” threat to both national security and the security of the ICC as well as, due to the outlook of him acquiring access to the ICC, allies.

In a first-ever for the AIVD, it also released translations of a partially redacted 4-page document that describes the “extensive and complex” cover identity of the officer. It was originally written in Portuguese, “probably created around mid-2010” and “likely written” by the officer himself, and according to the AIVD provides insight into his modus operandi. The cover identity hid any and all links between him and Russia. According to the AIVD, the construction of this kind of cover identity “generally takes years to complete”.

In the note accompanying the document, the AIVD says that Russian intelligence services “spend years” on the construction of cover identities for illegals, to which end they “collect information on how other countries register and store personal data”, or illegally procure or forge identity documents. Information in the cover identity “can therefore be traceable to one or more actual persons, living or dead” as well as to (fake) individuals “who only exist on paper or in registries of local authorities”.

EU Member States expel >120 Russian diplomats in an apparent coordinated effort to reduce Russian intelligence presence in the EU

A week after Poland announced it expels 45 Russian diplomats, the foreign ministries of Belgium, the Czech Republic, Ireland and the Netherlands announced on March 29, 2022 that they too will expel Russian diplomats. A day later, Slovakia followed up by announcing expulsion of another 35 Russian diplomats.

The Czech Republic, who in 2021 called on EU and NATO to expel Russian diplomats in solidarity against Moscow, expels one diplomat from the embassy in Prague on a 72-hour notice. In a tweet the Czech ministry of foreign affairs stated that “Together with our Allies, we are reducing the Russian intelligence presence in the EU.”

Belgium expels 21 diplomats from the embassy in Brussels and consulate in Antwerp. Minister Sophie Wilmès stated the measure is taken to protect national security and is unrelated to the war in Ukraine. “Diplomatic channels with Russia remain open, the Russian embassy can continue to operate and we continue to advocate dialogue”, Wilmès said.

The Netherlands expels 17 diplomats from the embassy in The Hague. According to minister Wopke Hoekstra they are secretly active as intelligence officers. Hoekstra bases this on information from Dutch intelligence & security services AIVD and MIVD. The embassy in the Hague has 75 registered diplomats, of which 58 will remain. Hoekstra says the decision was taken with “a number of like-minded countries”, based on grounds of national security. Like his Belgian colleague, Hoekstra adds he wants diplomatic channels with Russia to remain open.

Ireland expels 4 “senior officials” from the embassy in Dublin for engaging in activities “not […] in accordance with international standards of diplomatic behavior”. They were suspected of being undercover military officers of the GRU and were already on the radar of Garda Síochána, the Irish national police and security service, for some time.

Furthermore, Slovakia announced it will “reduce the staff of the Russian embassy in Bratislava by 35”, after already having expelled three diplomats earlier in March, and charging two people with espionage for Russia. The official statement of the Slovakian government does not mention specifics beyond the statement that “we regret to note that […] the Russian diplomatic mission has not shown any interest in operating correctly on our territory.”

Dutch intelligence scholar Ben de Jong points out in NRC Handelsblad that the absence of France and Germany limits the strength of the political signal that is sent to Russia. Based on its own sources, NRC writes that the expelled diplomats in the Netherlands “presumably” were active in collecting secret information about weapon deliveries to Ukraine, political and military decision-making in NATO and the EU, and discussion about new sanctions.

De Jong also points out that besides the use of diplomatic covers and illegals, Russian secret services likely have representatives in companies such as Gazprom and Aeroflot who are not affected by the expulsion and can continue their operations, albeit without the protection of a diplomatic cover. Another intelligence scholar points out that new diplomats will eventually be registered.

The Belgian and Dutch ministers cite national security as ground for the expulsion rather than the expulsions being a sanction over the war in Ukraine. The apparent coordinated effort is however seen as a joint political statement to the Russian government.

Russian foreign ministry spokeswoman Maria Zakharova told AFP that “responses will be provided on the basis of the principle of reciprocity.”

Russian and Chinese services use LinkedIn to target & recruit persons to spy on Dutch companies, says General Intelligence & Security Service (AIVD)

Thousands of employees at Dutch high-tech companies are systematically being approached by secret services from China and Russia who are trying to steal company secrets. This is done through fake accounts on LinkedIn, the largest business network in the world. The spies pose as fellow scientists or engineers. They also impersonate consultants or recruiters.

Dutch and other Western secret services are shocked by the number of successful contact attempts, in which people have ultimately been made to share sensitive information through blackmail or bribery. After the first contact via LinkedIn, the relationship is quickly made more “personal,” says Director Erik Akerboom of the General Intelligence and Security Service AIVD. The new contact acts flattering about your knowledge and expertise. ‘You get a request to translate something. After that, personal contact may follow at a conference.’

Awareness campaign

The scale and clout of the Russian and Chinese infiltration attempts have reached such proportions that the AIVD is sounding the alarm. Later this week, the service will launch a warning campaign via social media to make Dutch employees and officials aware of the dangers.

Last year, the Netherlands expelled two Russian spies from the country. They had enticed employees of several Dutch high-tech companies to sell information. The first contacts were made through LinkedIn, AIVD chief Erik Akerboom says to the FD. One of the Russians, who is an intelligence officer with the secret service SVR, created fake identities as a scientist, consultant and recruiter for this purpose. The AIVD would not say which companies were involved.

For years, China and Russia have been purposefully trying to get advanced technology into Western countries, including the Netherlands. This is done through company takeovers, but also through cyber attacks and classic espionage. The AIVD has previously warned that such attempts undermine the Dutch economy.

No ban

Dutch high-tech companies do not prohibit their employees from creating a profile on LinkedIn. ‘We do have protocols for the information people share on social networks,’ said a spokesperson for chip manufacturer NXP. ‘Everything an employee posts is legally checked.’ ASML, which is not allowed to sell its advanced chip machines to China because of an American boycott, does not prohibit activity on LinkedIn or other networks either. The company does make its employees aware of the risks.

Intelligence work by the AIVD shows that China and Russia are operating systematically, says Akerboom. Social networks like LinkedIn or Instagram are constantly being copied and stored in databases. They analyze them to get their sights on targets. They are dealing with people who have access to special technological knowledge. The data is combined with information acquired from outright hacks in their organization, looking for specific personal data.’

Potential targets are ‘ranked’, says the AIVD chief. The non-friendly services then look at the level of influence the potential targets have within their own organization, their position within a business network, and their access to important information. ‘The rankings determine which people they prioritize for their recruitment efforts.’

Fake recruitment agency

British and American intelligence agencies have previously warned against this type of espionage. Sometimes fake recruiting agencies are created. After initial contact via LinkedIn, a target is persuaded to drop by for an interview about a new job. By sharing confidential information about their current employer, the victim becomes vulnerable to blackmail. The Chinese secret service is said to focus mainly on expats who still have family in China. This makes them extra sensitive to pressure to share information.

The targeted spying via LinkedIn began in 2009, according to Cody Barrow, director of threat analysis at cybersecurity firm EclecticIQ in Amsterdam. Previously, he worked in the US as a ‘senior intelligence officer’ at the Department of Defense and the National Security Agency (NSA). ‘In that year I myself received my first LinkedIn request from an attractive woman I didn’t know. Once the spies become friends, and can read your full profile, they check if you use certain keywords. Or code words for software programs you work with.’

For example, if a spy were to read that an NSA employee works with the program Wrangler, the contact immediately becomes a higher priority for the spy. This is because it means that the employee is involved in gathering and analyzing information via satellite imagery.

Invites accepted carelessly

Barrow estimates that over the past ten years “many thousands of Dutch people” have received LinkedIn requests from Chinese spies. Requests are often accepted uncritically, especially if the requester already appears to share various contacts with the target. Moreover, many people are susceptible to flattering remarks. AIVD chief Akerboom says he is “not surprised” by the estimate of several thousand. Barrow thinks that half of these have also accepted a request.

Warning of such practices is a good thing in itself, but the AIVD itself should take much more proactive action against them, cyber security expert Ronald Prins believes. For example, the services could issue preventive warnings about an ongoing offensive. Or break into state-led hacker groups and share more knowledge. ‘So far, the service only comes into action when military applications are at stake. When are they going to make an effort for the economic security of the Netherlands?’

The AIVD has already expressed to the House of Representatives its desire for a broader mandate, to also defend commercial companies and ‘the earning capacity of the Netherlands’. The cabinet that took office last month allocated an extra €300 million for the security services in the coalition agreement, but there are no concrete plans yet about how this will be spent.

Response from LinkedIn

‘We actively look for signs of state-sponsored activity(s) on the platform and take swift action against actors with malicious intent to protect our members. We do not wait for requests for removal, our Threat Intelligence Team removes fake accounts using information we discover and information obtained from various sources, including government agencies. Creating a fake account or fraudulent activity with the intent to lie to or mislead our members is a violation of our terms of service.’

Dutch govt expels two Russians using diplomatic cover to commit espionage on behalf of Russia’s civil foreign intelligence agency SVR; pursued information on AI, semiconductors & nano tech

UPDATE: 2020-12-14 09:00 UTC: small guest contribution to IntelNews: Holland expels two Russian diplomats, summons Kremlin envoy to issue protest.

UPDATE: 2020-12-13 11:05 UTC: the AIVD released bits of recorded video of one contact moment between the SVR officer and one of his assets in NL. It was shown today on national TV during “WNL op Zondag”, where Akerboom was present to explain and annotate the recent developments. The episode, in Dutch, can be watched here (skip to ~32m30s). Here’s a screenshot I took from that episode (SVR officer is at the left; his source at the right):

UPDATE 2020-12-10 18:49 UTC: reportedly, AIVD director Erik Akerboom (Twitter: @dg_akerboom) said that the AIVD detected “relatively intensive” contact between the SVR officer and sources in the Dutch high-tech sector “in at least ten cases”, indicating that the SVR officer had at least ten sources.

On 10 December 2020, the Dutch minister of the Interior, Kajsa Ollongren, sent a letter (in Dutch) to the House of Representatives to inform the parliament about the disruption of a Russian espionage operation.

Two Russians using a diplomatic cover to commit espionage on behalf of the Russian civil foreign intelligence agency SVR have been expelled from the Netherlands. Both were accredited as diplomat at the Russian embassy in The Hague. The minister says the SVR intelligence officer built a “substantial” network of sources (i.e., he was a case officer) working in the Dutch high-tech sector. He pursued information about AI, semiconductors and nano technology; knowledge that has both civil and military applications. In some cases the sources got paid for their cooperation.

The Dutch civil intelligence & security service AIVD disrupted the operation. On 9 December 2020, the Russian ambassador to the Netherlands was summoned by the Dutch ministry of Foreign Affairs. The Russian ambassador was told that the two Russians have been designated as Persona Non Grata (PNG), i.e., they are expelled from the Netherlands.

This case involves multiple companies and one educational institute, whose identities are not revealed. The minister states that the espionage “has very likely caused damage to the organizations where the sources are or were active, and thereby to the Dutch economy and national security.”

The minister states that the Immigration and Naturalization Service (IND) will take legal action against one source on the basis of immigration law.

The minister also announces the Dutch administration will look into possibilities to criminalize the act of cooperating with a foreign intelligence service. Currently, that act on and by itself is not a punishable offense. Legal possibilities do already exist regarding violation of confidentiality of official secrets and company secrets, however. For related developments at the EU level, check out the Trade secrets page of the European Commission.

Finally, the minister points out that this case shows “that threats from foreign states against the Netherlands are real”, and that a broader follow-up will take place of the parliamentary letters “Countering foreign state threats” of 18 April 2019 and “Knowledge security in higher education and science” of 27 November 2020.

Three side notes:

If you’re at an organization that has a need for insight into protection against insider threats, I recommend checking out Signpost Six. It was founded by @Elsine_van_Os, who formerly worked at the Dutch military intelligence & security service MIVD.

The remainder of this post is a translation of the main body of the minister’s letter on the disrupted espionage operation.

[…]
Disruption
As mentioned in the annual reports of the AIVD, the Netherlands is a target of Russian intelligence services who covertly collect information that is valuable to Russia, including economic & scientific information.

The AIVD recently ended operations of a Russian intelligence officer of the civil foreign intelligence service SVR. The Russian national, who was employed at the Russian embassy as an accredited diplomat, was involved in espionage on technology and science. He built a substantial network of sources, all of whom are or were employed in the Dutch high-tech sector. The intelligence officer was interested in information about, among others, artificial intelligence, semiconductors, and nano technology. Much of this technology is of use both for civil and military applications.

The Russian intelligence officer made contact with persons who have access to sensitive information within the high-tech sector, and in some cases paid for that. A second Russian SVR officer, also accredited as diplomat, fulfilled a supporting role.

Companies and educational institute have been informed
The high-tech sector in the Netherlands holds high-quality and unique knowledge. The espionage has very likely caused damage to the organizations where the sources are or were active, and thereby to the Dutch economy and national security.

The sources of the Russian intelligence officer have been contacted by the AIVD to disrupt their activities. In a number of cases, the AIVD has submitted an official notification to the companies and educational institute involved such that they can take measures. In one case, an official notification was sent to the Immigration and Naturalization Service (IND). The IND will take legal measures against one source. The AIVD is investigating whether further official notifications can be sent to the IND.

No comments can be made about the identities of the sources and which companies and educational institute are involved.

Persona Non Grata
As a result of the detected espionage activities, the Russian ambassador has been summoned by the Dutch Ministry of Foreign Affairs on 9 December 2020, and has been told that the intelligence officer, as well as the supporting SVR worker, have been designated as Persona Non Grata (PNG).

Criminalization of espionage
Due to the increased vulnerability of the Netherlands for espionage, the Dutch administration has examined the added value of criminalization of espionage. Criminal law already provides legal possibilities to act against crimes involving violation of confidentiality of official secrets and company secrets. However, espionage in the sense of persons covertly collaborating with a foreign intelligence service is currently not a punishable office. The administration has established that additional criminalization is desirable and will examine how that can been pursued, and then initiate a legislative process.

Follow-up
This case shows, again, that threats from foreign states against the Netherlands are real. We will further inform you about the broader approach in follow-up to the Parliamentary Letters “Countering foreign state threats” of 18 April 2019 and “Knowledge security in higher education and science” of 27 November 2020.

Awareness
The AIVD is committed to raising awareness about espionage risks and, where possible, explains to companies, governments and educational institutes how they can prevent this, both now and in the future.

Submarine communication cables and the Netherlands: translation of a letter from the Dutch state secretary of Economic Affairs and Climate Policy

On 23 October 2020, the Dutch state secretary for Economic Affairs and Climate Policy, Mona Keijzer, sent a letter (in Dutch) about submarine communication cables to our House of Representatives. This post provides an English translation of that letter.

Takeaways:

  • Distinction must be made between intercontinental cables and non-intercontinental cables. Only the former require underseas repeaters/amplifiers to carry the signal over a (very) long distance.
  • Risks related to the economic end-of-life being reached generally are about intercontinental cables — such as TAT-14. that directly connects the U.S. and the Netherlands. TAT-14 became operational in 2001 and will be disconnected in the nearby future. The state secretary says that this does not affect the Dutch, as most communication between the Netherlands and the U.S. is already transported via other countries.
  • A new submarine cable between the Netherlands and the United Kingdom will be laid in 2021, which can also be used for direct communication between the Netherlands and the U.S.
  • The state secretary explicitly recognizes the added value of laying new submarine cables, and promises to explore options to help facilitate that through, among others, licensing for landing stations. This is a follow-up to a request made by market parties, who also indicated that it would be desirable that the Dutch government plays a stronger role. The state secretary also points out that co-financing from the EU is possible for laying new cables.

The text below this line is the translation of the letter. Note: hyperlinks and parts in square []-brackets were added by me.


During the General Consultation on Digitization of 11 March 2020, I promised MP Verhoeven of the D66 fraction to give an overview of the problems, research, and actions in the field of submarine cables. Subsequently, during the General Consultation on Telecommunications of 11 June 2020, I promised MP Van den Berg of the CDA fraction to write a letter to your House about the outcome of the discussions with the sector about the investments in submarine cables. With this letter I fulfill this commitment and cover the valuable conversations I have had with market parties.

It is important to emphasize that the Netherlands has very good digital connections, both on land, at sea, and in the air. Both our mobile and fixed connections are among the best in the world [reference: https://zoek.officielebekendmakingen.nl/kst-26643-547.html]. For example, many submarine cables come ashore in the Netherlands, as can be seen on the picture elsewhere in this letter. This digital infrastructure is important for our economy and society and it is therefore important to maintain and expand this world-class digital infrastructure.

For a good understanding of submarine communication cables, a distinction must be made between submarine cables running between continents (intercontinental cables) and submarine cables within Europe. European submarine cables do not need active amplifiers on the ocean floor, because of the short distance they span. Intercontinental cables span a longer distance and therefore require such equipment. This makes it relatively easy to increase the capacity of existing cables to the United Kingdom or Denmark. Only the active equipment ashore needs to be renewed.

Increasing the capacity on intercontinental cables is more difficult, because in some cases the underwater amplifiers also need to be replaced. Therefore, when parties talk about risks around the lifetime of submarine cables [e.g. 25 years] they generally refer to these intercontinental cables. The research report by Stratix, about which MP Amhaouch of the CDA fraction asked questions during the General Consultation on Digitization of 11 March 2020, addresses whether there is a problem due to submarine cables being at the end of their economic life and whether new cables are expected to be laid soon. This research report can be found on the site of the national government.

Submarine cables in North-West Europe (source)

Stratix’ quick scan, as well as earlier research conducted in 2018, shows that cables can be active beyond the end of their economic life. However, because the equipment is outdated, the cable’s capacity will not increase in the long run. According to Stratix, the conclusion of the submarine cable industry was that there is no reason to assume that problems will arise in the short term. In addition, it was indicated that there currently is no demand for more capacity via a (new) transatlantic submarine cables to the Netherlands. If such demand arises, the new international submarine cables to Denmark, the United Kingdom, Ireland and France can be used, because of the good land and submarine connections we have with those countries. For example, there already are submarine cables to the United Kingdom and Denmark that can be used for this purpose. The most important conclusion of the Stratix study therefore is that there is sufficient submarine cable capacity to and around the Netherlands, and that market parties do not expect a shortage in the short or long term.

An important development for the longer term is that the market for submarine cable connections is changing. Where previously consortia of telecom companies, such as KPN, were laying a submarine cable, this is increasingly being done by individual non-telecom companies and mostly digital platforms, such as Google and Facebook and Microsoft. Furthermore, it has become clear that a transatlantic cable, the TAT-14 cable, which was laid in the past by a consortium and landed in the Netherlands, will be disconnected. A lot of traffic from the Netherlands already is transported to the U.S. via other countries, however. Given our geographical position, this is not illogical.

As I promised to your House, I have spoken to market parties about these developments, also on the basis of the letter that various parties have addressed to me on this subject [those parties were Stichting Digitale Infrastructuur Nederland, Dutch Data Center Association, Fiber Carrier Association and SURF]. From these discussions and the round table I organized on 29 September 2020, various insights have emerged. First of all, it is nice to be able to report that next year a new submarine cable will be laid between the United Kingdom and the Netherlands, which will also be connected to Ireland. Data traffic can be carried to the U.S. directly via this cable. Secondly, it appears that there is a diffuse picture about the added value of direct intercontinental connections over connections via other countries. Parties that have large data centers in the Netherlands, for example, indicate that they do not see any problem in this in the future. During the round table discussion I organized, it was also emphasized that the disappearance of cables generally has no consequences for Dutch users, but it is desirable for the Netherlands to be easily accessible, and therefore direct cables can be of added value.

I also see that submarine cables add value to the Dutch digital infrastructure. I want to explicitly express my positive opinion about the added value of laying new submarine cables. Therefore, if market parties or consortia of parties are considering laying a new submarine cable to the Netherlands, I am willing to facilitate this, for example in the licensing process.

This was also requested during the round table held with market parties. It was also indicated that it would be desirable that the Dutch government plays a stronger role. It was explicitly stated that this is not about paying for these cables, but about facilitating the landing. I will look at the laws and practical objections that might stand in the way of this. For example, parties have indicated that laying cables in the North Sea could be difficult in the future. I recognize this, and it is inherent in an intensively used North Sea. I feel it is important to leave room for new submarine cables, and this has been included in the National Environmental Vision [in Dutch: “Nationale Omgevingsvisie” aka NOVI] sent to your House by the Minister of the Interior and Kingdom Relations. As mentioned in this vision, this aspect will be further elaborated in the North Sea program. With regard to both the licensing and the North Sea program, I will contact other governments and ministries, including the Ministry of the Interior and Kingdom Relations.

A good investment climate for the installation of these cables is desirable. If a submarine cable lands in the Netherlands, this can stimulate business activity surrounding it. The Netherlands Foreign Investment Agency (NFIA) can play an acquiring or facilitating role where possible. In addition, European funds are also available for the construction of submarine cables. If market parties wish to lay these cables, co-financing from the EU is possible. I will also bring these funds to the attention of market parties.

Over the past few months, various discussions have taken place with market parties and a round table has been convened. Sea cables continue to have my attention as part of the digital infrastructure and in addition to the aforementioned actions I will continue to actively monitor developments in the coming period.