Cyber Incident Victim: Havenbedrijf Den Helder
Date:
Jun 2023
Location:
Netherlands
Summary
A pro-Russian hacktivist group named NoName057(16) executed DDoS attacks against the Port of Den Helder and other Dutch ports, causing their public-facing websites to be unreachable for hours. The group claimed the attack was a response to the Netherlands' plans to purchase tanks for Ukraine. The incident was limited to the websites, and critical operational systems for shipping traffic remained unaffected and ran on separate servers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the week beginning June 12, 2023, pro-Russian cybercriminals launched a series of distributed denial-of-service (DDoS) attacks targeting the websites of several Dutch port authorities. The group known as NoName057(16) publicly claimed responsibility for these attacks. Their stated motive was a direct response to the Dutch government's intention to purchase Swiss-made Leopard 1 tanks for subsequent delivery to Ukraine, an action they perceived as opposing Russian interests. According to American researcher Tom Hegel of cybersecurity firm SentinelOne, the group operates on a simple principle: "If someone does something that hinders Russia, then they are a target." The port authorities of Groningen, Amsterdam, Rotterdam, and Den Helder all confirmed they were victims of these DDoS campaigns.
The attacks manifested on Tuesday, June 13, 2023, causing significant disruption to the online presence of the targeted ports. The websites of the port authorities in Rotterdam, Amsterdam, and Den Helder were rendered unreachable for a period of several hours on that day. The impact on the Groningen Seaports website was more prolonged, remaining offline for the entire subsequent weekend. This timing was particularly inconvenient for the Groningen port, as they had a major open day event scheduled for that Saturday, hindering their public communication efforts during a key public engagement period. The primary impact across all entities was the temporary loss of public-facing web services, which are used to disseminate information to the public.
NoName057(16) is characterized by cybersecurity researchers as a group of hacktivists—a portmanteau of hacker and activist—who began their operations shortly after the full-scale Russian invasion of Ukraine. Their typical modus operandi involves conducting DDoS attacks, a relatively unsophisticated but often effective technique for overwhelming a website with traffic to force it offline. Hegel described the group as utilizing "amateuristic tools" but noted their effectiveness in achieving their primary goals, which are to take websites offline and, crucially, to garner attention for their cause. Their chosen targets frequently include the banking sector, private companies supplying the defense industry, and logistical entities within NATO member states, aligning with their pro-Russian political objectives. This targeting pattern was consistent with previous attacks they had executed against the website of the Danish central bank and a Polish government website in the preceding year.
Following the attacks, the group engaged in their standard practice of publicly boasting about their successes on their Telegram channels. In these posts, they were explicit about their motivation, directly referencing the Dutch plan to acquire the tanks. One message stated, "The Netherlands wants to buy Leopard 1's to supply to Ukraine. By the way, according to the Ministry of Defense of the Russian Federation, 8 Leopard 1 tanks have already been destroyed. Bring the next ones!" This public posturing is a core component of their strategy, using these platforms to claim credit, amplify their message, and attempt to demonstrate their effectiveness in support of the Russian Federation.
The technical investigation into the attacks was corroborated by the Port of Rotterdam Authority. Their own analysis confirmed that the attacks originated from Russian and Serbian IP addresses, which aligned with the claimed affiliation of the attacking group. A critical finding from all affected port authorities was that the scope of the incident was strictly limited to their public websites. Internal operational technology and critical systems remained entirely unaffected. The port spokespersons were clear that while their public websites are an important channel for informing the public, their core business operations are not dependent on them. The systems essential for handling ship traffic and port logistics run on separate, isolated servers that were not targeted or impacted by this particular campaign. Therefore, the consequence of the attack was confined to a temporary disruption of public information services and a reputational nuisance, with no impact on the physical movement of goods or vessels. The incident was resolved through standard mitigation procedures for DDoS attacks, restoring website availability after the attack waves subsided.