Cyber Incident Victim: Kingdom of Belgium

On June 26, 2023, the online services of multiple Belgian federal government departments began experiencing significant disruptions. The first systems were reported to have been taken offline around 16:15. The disruptions continued into the following day, Tuesday, June 27, with services being severely disrupted at times throughout the morning. The cause of the widespread disruption was identified as a cyberattack designed to overburden or severely slow down the system behind the government websites. The attack specifically targeted a range of government web domains, including those ending in '.belgie.be', '.belgique.be', '.belgien.be', and '.fgov.be', making them difficult or impossible to access for periods of time. The Federal Public Service Finance publicly acknowledged the incident on Tuesday via Twitter, reporting "storingen" or disruptions to its online service provision.

The attack was characterized as a Distributed Denial of Service (DDoS) attack. This type of attack involves directing a large volume of data toward a system with the intent of slowing it down or taking it completely offline. The incident was not an isolated event but part of a broader pattern of similar cyber incidents across Europe in the preceding weeks. The Center for Cybersecurity Belgium (CCB) described the situation as a "carrousel of DDoS-aanvallen" or carousel of DDoS attacks, noting that Belgium was the latest target following recent attacks on countries including the Netherlands and Spain. The nature of these prior European incidents often involved a geopolitical background and were frequently claimed by pro-Russian hacker groups.

The Center for Cybersecurity Belgium led the response to the incident. Initial assessments on the morning of June 27 suggested the issue had been resolved; however, the disruption persisted, leading to what was described as a prolonged game of "cat and mouse" throughout the entire morning as the attack continued to evolve. The primary focus of the response was to mitigate the attack's effects and restore normal service availability to the affected government portals. By the afternoon of June 27, the CCB confirmed that the attack had been stopped for some time and that their efforts had successfully averted the ongoing threat.

A key finding from the initial investigation was the assessment regarding data security. The CCB, through its director Miguel De Bruycker, stated that the chance of personal data being stolen during this attack was virtually non-existent. The analysis concluded that the attack had a singular objective of causing disruption to the systems and was not designed to breach data security or exfiltrate sensitive information. This assessment provided assurance that the integrity of citizen data held on the targeted systems remained intact despite the service outages.

Following the containment of the immediate attack, the response shifted to a phase of post-incident analysis. The CCB announced its intention to conduct a full analysis of the attacks to understand their mechanics and origin better. The purpose of this analysis was to develop improved strategies for preventing future similar attacks or, at a minimum, avoiding their most critical effects. This investigative work included efforts to determine who was behind the attack. As of the reporting on June 27, the attack had not been claimed by any individual or group. However, the CCB noted the pattern of previous weeks' attacks, which were often claimed by groups like Killnet, a known pro-Russian hacking collective specializing in DDoS attacks against government institutions and companies. The disruption served to highlight the vulnerability of critical online public services to this specific type of high-volume attack and underscored the need for continued vigilance and enhanced defensive measures within the European context.