Cyber Incident Victim: Netherlands
Date:
Apr 2025
Location:
Netherlands
Summary
The targeted Dutchprovincial and municipal websites were hit by a DDoS attack claimed by the pro‑Russian hacker group NoName, which cited recent military aid to Ukraine as motivation. The assault flooded the servers with traffic, rendering the sites difficult or impossible to reach until normal service was restored later in the day.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
OnApril 28, 2025, at approximately 11:37 a.m., the websites of several Dutch provinces and municipalities became the target of a cyber attack. The affected provinces were Groningen, North Holland, Zeeland, Drenthe, Overijssel and North Brabant, while the municipalities of Apeldoorn, Breda, Nijmegen and Tilburg were also hit. The pro‑Russian hacker group NoName claimed responsibility for the attack and posted on X, “It's time to visit the Netherlands again,” referencing the 6 billion euro military aid package to Ukraine announced in February and the planned 3.5 billion euro package for 2026. The group described the action as a distributed denial of service (DDoS) attack, a method in which overwhelming volumes of traffic are directed at a server to disrupt its normal operation. In a DDoS attack, a network of compromised devices is instructed to repeatedly request access to a website simultaneously, creating a massive spike in data traffic that the server cannot accommodate. This overload causes the server to collapse under the pressure, rendering the associated websites difficult or impossible to reach for legitimate users. The attack on the Dutch provincial and municipal sites followed this pattern, making the online services unavailable during the incident. According to the Information Security Service for Municipalities (IBD), the affected websites were restored and became accessible again at 2:00 p.m. on the same day.
NoName has a history of conducting similar DDoS operations against nations that support Ukraine, and the group has repeatedly targeted Dutch entities in the past. In March of the previous year, a number of Dutch provincial websites were blacked out by an attack attributed to this same group, and other Dutch organizations had experienced earlier incidents as well. The attackers noted that such DDoS campaigns are relatively easy to execute and are sometimes offered as a service by cybercriminals. The April 2025 event fits within this broader pattern of politically motivated disruption aimed at allies of Ukraine.