Russia was able to hack the Dutch police due to a volunteer clicking on malware

[SkyStreaker]

 

Summary

The Dutch police has been hacked by Russian state-hackers and personal information of 63.000 employees has been obtained.

 

Quotes

Quote

 Several sources report that Russia is responsible for the recent hack of the Dutch police. This could reportedly happen because a police volunteer clicked on a malware link. In the cyberattack, the data of 63,000 employees was stolen.

 

My thoughts

I realize this is somewhat older news of a ~week old.

Human error in the works, but the worse bit here, due a volunteer. It just comes to show how easily it can happen and here one could say a type of "worst case scenario" has happened. As said, I find it surprising that this information could be leaked via a volunteer, that seems to be a lot of access to me. The reason I'm posting it here, is because I'd like to see a more (or try to see a more) potential international point of view, rather then a more local one.

 

Sources

(note: these are Dutch language sources, you would need to translate)

https://tweakers.net/nieuws/227266/rusland-hackte-nederlandse-politie-vrijwilliger-bij-politie-klikte-op-malware.html?showReaction=20370798#r_20370798
 -> https://tweakers.net/nieuws/227216/hack-op-nederlandse-politie-kwam-van-statelijke-actoren.html
 -> https://tweakers.net/nieuws/227054/gegevens-van-alle-63000-nederlandse-politiewerknemers-zijn-gestolen-bij-hack.html

https://www.parool.nl/amsterdam/politiehack-volgens-inlichtingendiensten-uitgevoerd-door-ander-land-en-is-groter-dan-gedacht~b09ea492/
https://datanews.knack.be/nieuws/security/cybercrime/rusland-zit-achter-nederlandse-politiehack/#:~:text=11:40 Bijgewerkt op: 11:40 Bron: Data News. Bronnen zeggen

Edited October 4, 2024 by SkyStreaker
small mistakes corrected v.1.1

[StDragon]

This was the translation

"Hackers managed to get their hands on the data from the police Outlook program. As a result, they had access to the names of people, the departments where they work, and their phone numbers. This also applies to regular mail partners outside the police."

Ok, so that can happen any number of ways. What I would want to know is the method? Was the GAL (Global Address List) exfiltrated by a user that got phished? If so, token theft or was malware installed?

[manikyath]

you really need state sponsored hackers to make a volunteer with WAY too much access click a link...

[leadeater]

6 minutes ago, manikyath said:

you really need state sponsored hackers to make a volunteer with WAY too much access click a link...

No really too much access, GAL can be very insecure and any account can read it so unless you are restricting what goes in to the GAL it's there for anyone and anything to see thus any compromised account can leak it out. Same goes for AD, unless you do something to prevent reading out all the accounts and groups in the entire structure then any account will do.

 

The dumbest answer probably is the answer.

[manikyath]

2 minutes ago, leadeater said:

unless you are restricting what goes in to the GAL

i mean.. it's just my armchair opinion (literally sitting slumped back in a couch rn) but wouldnt a police force be the sort of place where one does that?

 

i'm not even thinking foreign actors here, just a bad apple / crime syndicate mole can go haywire with this information.

[leadeater]

11 minutes ago, manikyath said:

i mean.. it's just my armchair opinion (literally sitting slumped back in a couch rn) but wouldnt a police force be the sort of place where one does that?

 

You'd think so but I know how poorly run and secure a lot of systems, ones controlled by govs, actually are so I'd be putting every option on the table of possibilities. Things like this can get overlooked because all the effort is spent on the SAP/Oracle application or whatever that is used for the actual police information system(s) which can be very secure, but good old Global Address List is out in the open.

[StDragon]

11 minutes ago, manikyath said:

ibut wouldnt a police force be the sort of place where one does that?

Unless mandated within the department, COPs are rather ignorant when it comes to cyber security. Their domain is physical law enforcement in "meat space"

[Biohazard777]

1 hour ago, SkyStreaker said:

a police volunteer

[SkyStreaker]

8 minutes ago, Biohazard777 said:

 

A volunteer, working for the police. A nuance lost in translation  -ish.

[Mark Kaine]

why is a volunteer "the worst case"? why aren't the people responsible for having lax security and not giving proper instructions "the worst case"?

 

The poor dude is probably the least responsible person in that department lol...

[SkyStreaker]

9 minutes ago, Mark Kaine said:

why is a volunteer "the worst case"? why aren't the people responsible for having lax security and not giving proper instructions "the worst case"?

 

The poor dude is probably the least responsible person in that department lol...

Oh, I agree - it's just that the aspect of that makes the argument (or the whole happening as it were) create  lot more uplift in being critical about how this could go wrong.

And yes, I do feel worried about the person, I would assume, just tried to do the volunteered job at the best one can do. The consequences of the action would drive me in worlds of unimaginable stress and anxiety.

[Mark Kaine]

Just now, SkyStreaker said:

Oh, I agree - it's just that the aspect of that makes the argument (or the whole happening as it were) create  lot more uplift in being critical about how this could go wrong.

And yes, I do feel worried about the person, I would assume, just tried to do the volunteered job at the best one can do. The consequences of the action would drive me in worlds of unimaginable stress and anxiety.

 

yeah, that's why i pointed it out - i could be wrong but it sounds like literally everyone could have clicked that link with the same result...  you also got to wonder how he even got access  - likely because no one working there has any clue about cyber security  (as someone else said they're cops, so it's not even their job, sure it should be, but likely isn't, they're just for "real crimes" smh) 

[wanderingfool2]

1 hour ago, manikyath said:

you really need state sponsored hackers to make a volunteer with WAY too much access click a link...

I mean it all really depends.  If the translation is correct in that it's just names/department/location of work/phone numbers [which I assume means work phone number] it's not really that big of a deal to have people who can access that sort of list.

 

Nothing is worse in terms of efficiency when someone internally says, "hey contact xyz in abc department because we need lmn stuff" only to realize you don't know  xyz, abc doesn't have a call tree to do etc.  Having had to do that for someone I didn't have the phone number of before, and literally what could have been a quick search in my address book turned into waiting a day for people to reply back who knew how to contact the person.  To an extent it would remind me a bit of calling a store and getting redirected around departments until you finally find someone to help you.

 

Especially if the volunteer has to do something with directing people to the correct departments/people they might need a list of all the relevant people they might need to work with.  Yes it could be trimmed down to be specifically their needs, but then you start getting into backend admin work to ensure all volunteers have access to only specifically the call tree that is needed...it's actually how some places end up with so much bloat because in the name of "efficiency" or only have exact access  you slow down onboarding etc. or create busy work for people to access who needs what etc.

 

Like everything with security, there is a realistic balance that needs to be made.  I could create a system that realistically wouldnt allow employees to compromise anything...but watch how efficiency takes a nose dive.  Everything needs balancing and weighing the importance of the data that could be exposed based on risk, important, and probably someone might attempt to get it.

[Ydfhlx]

If a single volunteer can hack police and steal so much data (with a phishing link or not), you don't have phishing problem, you have access problem. Russia could've easily made their man go there on purpose (or maybe even they did).

[Salted Spinach]

On 10/4/2024 at 11:58 PM, StDragon said:

This was the translation

"Hackers managed to get their hands on the data from the police Outlook program. As a result, they had access to the names of people, the departments where they work, and their phone numbers. This also applies to regular mail partners outside the police."

Are the people most cognisant of scam/malicious calls now at risk of being called up by Russia for marketing and job offers?