Cyber Incident Victim: Tweak.nl

Between late August and early September 2020, multiple internet service providers across Western Europe experienced distributed denial-of-service (DDoS) attacks targeting critical DNS infrastructure. The attacks impacted ISPs in Belgium, France, and the Netherlands, including EDP in Belgium, Bouygues Télécom and K-net in France, and Caiway and Delta (parent company of Tweak.nl) in the Netherlands. Initial attacks began around August 28, with disruptions continuing through the following week. Attack vectors consisted primarily of DNS amplification and LDAP reflection techniques, generating traffic volumes reaching 300 gigabits per second. Each attack episode lasted less than 24 hours before being mitigated by network operators. The Dutch NBIP (Network Operators Institute Netherlands), representing national ISPs, publicly characterized the technical nature of the attacks while coordinating response efforts among affected providers.

Service disruptions occurred during active attack windows, though full outage durations were limited by mitigation measures. The Dutch National Cyber Security Centre (NCSC) later confirmed extortion demands accompanied some attacks, with threat actors requesting Bitcoin payments to cease attacks. No verified attribution for the campaign was established during the incident timeframe. Concurrently, an unrelated CenturyLink network outage occurred due to a misconfigured Flowspec rule intended to mitigate DDoS traffic, though this incident was not explicitly linked to the European ISP attacks. By early September, most affected providers had restored normal operations through traffic filtering and infrastructure hardening measures. The NBIP continued monitoring for recurring attack patterns while sharing technical indicators across its membership to bolster collective defenses against similar DNS-targeted campaigns.