Analysts noted that the nature of the attack requires access to infrastructure that a couple of small-time vandals would not have. “Dutch study possible Iran hacking of government web sites,” by Gilbert Kreijger and William MacLean for Reuters, September 4:
AMSTERDAM (Reuters) – The Dutch government said on Sunday it was investigating whether Iran may have been involved in hacking Dutch state websites after digital certificates were stolen.
Dutch Interior Ministry spokesman Vincent van Steen declined to say whether Iranian authorities in the Netherlands or Iran had been contacted, and said more details would be published in a letter to the Dutch parliament early next week.
But van Steen confirmed the veracity of a report by the Dutch news agency ANP saying the cabinet was looking into whether the Iranian government played a part in breaking into Dutch government websites.
Such web sites may no longer be safe after the digital theft of internet security certificates from Dutch IT company DigiNotar, the Interior Ministry said in a statement.
Officials at the Iranian embassy in The Hague were not immediately available for comment nor was there an immediate reply to emails asking for comment.
Google said in its security blog on August 29 that it had received reports of attacks on Google users, that “the people affected were primarily located in Iran,” and that the attacker used a fraudulent certificate issued by DigiNotar.
DigiNotar’s systems were hacked in mid-July and security certificates were stolen for a number of domains, DigiNotar and its owner, U.S.-listed VASCO Data Security International, said on August 30.
Relations between Iran and the Netherlands deteriorated early this year when a Dutch-Iranian woman was hanged in Iran in January and buried without her relatives being present. She had been arrested after taking part in demonstrations and accused of drug smuggling.
In April, the Iranian embassy in the Hague criticised the Dutch government after an Iranian asylum seeker who was being extradited set himself on fire in Amsterdam and died.
A certificate guarantees that a web surfer is securely connected with a website and not being monitored by someone else. Breaking into a secure link is known as a “man-in-the-middle attack.”
The stolen certificates were immediately revoked after detection of the theft but one, for the site Google.com, was only “recently” revoked after a warning from the Dutch government, DigiNotar and VASCO said.
Internet security experts said it was possible the hacking originated from Iran and involved state support.
“This is the second batch of fraudulent security certificates in the last six months with questionable links to Iranian actors,” said John Bumgarner, a cyber researcher and chief technology officer for the non-profit U.S. Cyber Consequences Unit.
“The certificates in question would not only allow a state actor to access the email and skype accounts of dissenters, but also install monitoring software on their computers,” Bumgarner said.
Experts use the term “cui bono test” to know who could benefit from an act and be the perpetrator.
“The ‘cui bono?’ test suggests Iranian state involvement. No doubt the government of Iran will try to blame some hacker group, if they say anything at all,” said Ross Anderson, Professor in Security Engineering at Cambridge University.
It was possible, Anderson said, that a government used hacker groups as auxiliaries but it was not likely that a small group would do a man-in-the-middle attack on its own.
“To use the forged certificate to do a man-in-the-middle attack on gmail, you need to be in a position to be the man in the middle, which means you usually have to be an internet service provider (ISP), or in a position to compel an ISP to do your bidding. That means proximity to government,” he said.