Cyber Incident Victim: Port of Rotterdam
Date:
Jun 2023
Location:
Netherlands
Summary
Pro-Russian hacktivist group NoName057(16) executed DDoS attacks against Dutch port websites, causing outages lasting several hours to days. The group claimed the attacks were retaliation for the Netherlands' plans to purchase tanks for Ukraine. The ports of Rotterdam, Amsterdam, Den Helder, and Groningen were affected, with the latter's website being offline during a major public open day. The attacks, originating from Russian and Serbian IP addresses, only disrupted public-facing websites and did not impact critical operational systems for shipping.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early June 2023, the websites of several major Dutch port authorities became the target of a series of distributed denial-of-service (DDoS) attacks. The pro-Russian cybercriminal group known as NoName057(16) claimed responsibility for these attacks. The group’s stated motive was a direct response to the Netherlands' declared intention to purchase Swiss-made Leopard 1 tanks for subsequent delivery to Ukraine. A spokesperson for the group explicitly referenced this on their Telegram channel, stating, "Nederland wil Leopard 1's kopen om te leveren aan Oekraïne. Trouwens, volgens het ministerie van Defensie van de Russische Federatie zijn al 8 Leopard 1-tanks vernietigd. Breng de volgende maar!" This aligns with the group's established pattern of targeting entities in NATO member states that provide support to Ukraine.
The attacks commenced on Tuesday, June 6, 2023. The primary impact was the sustained unavailability of the public-facing websites for the port authorities of Rotterdam, Amsterdam, and Den Helder. These websites were rendered unreachable for a period of several hours. The Port of Groningen (Groningse Zeehaven) was also targeted and experienced a significantly longer outage; its website remained offline for the entire subsequent weekend. This extended downtime was particularly ill-timed for the Port of Groningen, as it coincided with a major public open day event held that Saturday, hindering their public communication efforts.
According to cybersecurity researcher Tom Hegel of SentinelOne, who has been tracking the group, NoName057(16) is a small collective of hacktivists that emerged shortly after the full-scale Russian invasion of Ukraine. The group primarily employs DDoS attacks as their main tool. Hegel characterized their methods as "amateuristic tools," but noted their effectiveness in achieving the primary goal of taking websites offline and, crucially, generating attention for their cause. The group's targets are typically chosen for their political symbolism and frequently include the banking sector, private companies supplying the defense industry, and logistical enterprises within NATO countries. This is consistent with their previous activities, which included attacks on the website of the Danish central bank and a Polish government website.
Technical analysis of the attack traffic was conducted by the affected port organizations. The Port of Rotterdam confirmed that their internal investigations identified the source of the attacks as originating from a pro-Russian group. Furthermore, they traced the malicious traffic to IP addresses geographically located within Russia and Serbia. This attribution and technical detail were publicly disclosed by the port authority.
The impact of the incident was contained exclusively to the public websites. Internal investigation and analysis confirmed that no other operational systems were compromised or affected. A spokesperson for the Port of Rotterdam explicitly stated, "Voor ons is een website belangrijk omdat we het publiek kunnen informeren, maar we zijn niet afhankelijk van de website." The critical systems responsible for the actual handling and management of ship traffic, which operate on separate and isolated server infrastructure, were never in any danger during the attack. The consequence was purely a temporary loss of public-facing web presence, which served as an inconvenience to public communication rather than a disruption to port logistics or maritime operations.
The response actions undertaken by the port authorities focused on mitigating the DDoS attacks and restoring website availability. While specific technical countermeasures were not detailed in public statements, the nature of a DDoS attack typically involves working with hosting providers or employing DDoS mitigation services to filter malicious traffic. The ports of Rotterdam, Amsterdam, and Den Helder successfully restored their websites within hours on Tuesday. The Port of Groningen required a longer period to fully resolve the issue, with service being restored after the weekend outage. Throughout the incident, the primary response was one of containment and restoration, with no reports of further escalation or data breach. The incident was treated as a disruptive event rather than a penetrating intrusion, given its confinement to publicly accessible web servers. The group NoName057(16) used their Telegram channels to publicly boast about these successful disruptions, a common practice for such hacktivist groups seeking to amplify their political message and demonstrate capability to their followers. The event exemplifies the use of relatively low-sophistication cyber tactics to create symbolic impact and generate media attention in support of geopolitical objectives.