Full Report
It was used to track a Dutch naval ship: Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk...
Analysis Summary
# Tool/Technique: Physical Tracking via Embedded Bluetooth Trackers (Mail-in Attack)
## Overview
This technique involves the concealment of commercial-off-the-shelf (COTS) Bluetooth tracking devices (e.g., Apple AirTags, Tile, or similar low-cost trackers) within physical mail, such as postcards or greeting cards. The objective is to bypass traditional security screening—which may focus on packages rather than flat mail—to achieve persistent geolocation tracking of a high-value asset, such as a naval vessel or a person of interest.
## Technical Details
- **Type:** Physical Tracking Tool / Side-channel Surveillance
- **Platform:** Physical mail infrastructure / Bluetooth Crowdsourced Location Networks
- **Capabilities:** Real-time or near-real-time geolocation tracking using mesh network protocols (e.g., Apple Find My network).
- **First Seen:** April 2024 (Incident involving the Dutch ship HNLMS Groningen).
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- **[T1012 - Query Registry]** (Inapplicable in physical context; relevant as hardware-based discovery)
- **[TA0009 - Collection]**
- **[T1213 - Data from Information Repositories]** (Exploiting government-provided mailing addresses)
- **[PRE-ATT&CK / Physical Tactic]**
- **[T1583.008 - Physical Assets]** (Procurement of hardware trackers)
- **[T1599.001 - Physical Security Bypass]** (Exploiting lack of X-ray screening for standard letters/cards)
## Functionality
### Core Capabilities
- **Crowdsourced Geolocation:** Leverages the "Find My" network or similar Bluetooth LE (Low Energy) ecosystems to report location when in proximity to other mobile devices.
- **Form Factor Concealment:** Small, thin profiles allow trackers to be hidden between layers of paper or inside electronic greeting cards.
- **Low Power Consumption:** Designed to operate for months or years on a single coin-cell battery.
### Advanced Features
- **Passive Tracking:** The device does not require an active GPS lock (which requires line-of-sight to the sky); it only requires a nearby smartphone with Bluetooth enabled.
- **Mesh Connectivity:** Can relay location data even from deep inside a ship's hull if personal mobile devices are present in the vicinity.
## Indicators of Compromise
- **File Hashes:** N/A (Physical hardware)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- `findmy[.]apple[.]com` (Generic C2 for Apple-based trackers)
- Bluetooth advertisements from unrecognized MAC addresses.
- **Behavioral Indicators:**
- Presence of unexpected Bluetooth Low Energy (BLE) beacons in restricted areas.
- Receipt of unsolicited electronic greeting cards or heavy/thick postcards.
## Associated Threat Actors
- **Just Vervaart** (Journalist/Researcher - Proof of Concept)
- **Potential Use By:** Foreign Intelligence Services (FIS), Private Investigators, and stalkers.
## Detection Methods
- **Physical Screening:** Usage of X-ray scanners for ALL incoming mail, including flat envelopes and postcards.
- **Electronic Detection:** Specialized RF (Radio Frequency) scanners designed to detect Bluetooth LE broadcasts (2.4 GHz spectrum).
- **User Alerts:** Relying on mobile operating system notifications (e.g., "An AirTag is moving with you" alerts on iOS and Android).
- **Manual Inspection:** Policy-driven inspection of "musical" or electronic greeting cards that contain batteries and circuit boards.
## Mitigation Strategies
- **Policy Enforcement:** Banning the receipt of electronic greeting cards in sensitive military or corporate environments.
- **Security Hardening:** Implementing a "sterile zone" for mail sorting where electronics are neutralized or shielded (Faraday cages).
- **Training:** Personnel awareness regarding the risks of unsolicited mail and the significance of "Unknown Tracker" alerts on their personal smartphones.
## Related Tools/Techniques
- **GPS Loggers:** Similar tracking but requires GPS signal (often larger).
- **IMSI Catchers:** Used for tracking cellular devices.
- **Supply Chain Interdiction:** Planting trackers in hardware during transit.