In a report by the Dutch newspaper the Volkskrant, newly discovered information shows that in 2017 a vulnerability in an unknown third-party software was exploited on a Police Academy system, allowing attackers to pivot to the central police network. At the time, the Dutch Police were investigating the downing of MH-17, the Malaysian Airlines passenger plane that went missing mid-flight. The Dutch intelligence service, AIVD, had noticed communication between Police systems and known malicious servers operated by Russian state-sponsored threat actors. The Record notes that “a recent AIVD report claimed that Russia ran influence operations in 2020, trying to discredit the findings of its MH-17 investigation” and is seemingly attributed to the attack against the police systems.
While AVID and the Dutch Police have not come out in front describing who or what threat actors breached Police systems, the evidence seems to show that a Russian intelligence agency was behind the attack. In all of this, there are two important lessons that defenders should note: 1) the critical role vulnerability management and inventory play in a security program 2) the necessity of threat hunting. On multiple occasions, advanced threat actors have been seen exploiting older known vulnerabilities against legacy systems as a pivot point to attack larger networks. If these systems are not receiving patches or will not receive patches for the future but are still required in production, include these systems logs into a SIEM or logging solution. Threat hunting is built on data from many different sources. Building detections for legacy systems can provide organizations a way to be aware when those systems are being interacted with suspiciously.