Cyber Incident Victim: NRC Handelsblad

On Wednesday 30 April 2025 at 08:12 a.m. an employee of NRC’s digital development team messaged colleagues that the NRC app showed only a white screen and no articles were loading. Half an hour later an adjunct chief‑editor informed the whole company that nrc.nl was unreachable or poorly accessible and that the cause was being investigated, asking staff to hold off on sending newsletters. By 09:12 a.m. the adjunct chief‑editor reported that the outage was caused by a distributed denial‑of‑service (DDoS) attack that was still ongoing. The NRC site remained inaccessible for readers throughout the day, while customer service played a recorded explanation and approximately eighty readers emailed the outlet. Journalists whose pieces were scheduled for that day saw their work go unread as it was lost in the flow of new news.

Intermax, NRC’s hosting provider in Rotterdam, detected the surge in traffic after the initial half‑hour and, at 11:00 a.m., found that its equipment could no longer cope, prompting the activation of NaWas, the national DDoS‑mitigation service. At 11:12 a.m. NaWas issued a technical notice redirecting all NRC traffic through its scrubbing centre. Despite this, the site remained difficult to access; the filter alternated between being too strict and too lenient. At 15:15 p.m. Intermax implemented a geoblock, allowing only requests originating from Belgium and the Netherlands to pass. The attack continued, but after the geoblock the bulk of the malicious traffic shifted to a handful of Dutch‑based networks, which kept firing millions of requests per hour. The assault persisted through the evening and night and ceased exactly 24 hours after it began, after which the geoblock was lifted and NaWas withdrew its intervention. NRC subsequently filed a police report.

Analysis of the attack logs by NRC’s technical team, assisted by Mattijs Jonker of the University of Twente and Carel Bitter of Spamhaus, revealed 83 million HTTP requests over the 48‑hour period. Early in the morning the requests originated from residential IP addresses worldwide, including Dutch telecom customers such as KPN and Ziggo, indicative of a botnet. After the geoblock, nine specific networks stood out, three of which generated the majority of the traffic: IP ranges belonging to UAB Cherry Servers (Lithuania), CGI Global Limited (Hong Kong), and an entity registered as “Individual Entrepreneur Anton Levin” (Georgia). Tracing a sample packet from CGI Global led to a server hosted at Serverius in Meppel, while the peer network of Anton Levin was linked to the Dutch hosting firm Skylink in Eygelshoven. Both Serverius and Skylink had previously been noted for hosting customers involved in illicit activities such as child‑abuse material, phishing and spam. The NCSC confirmed that NRC appeared as the sole media organisation in its spreadsheet of attacks for that week, noting that the command “val nrc.nl aan” had been issued by the pro‑Russian hacking group NoName057(16) on 30 April. The NCSC reported 133 DDoS attacks on Dutch targets during the same period, attributing them to the same group’s volunteers who use the “Ddosia” tool.

The outage prevented readers from accessing any NRC content for a full day, disrupted the publication workflow for journalists, and prompted a significant volume of reader complaints and internal communications. After the attack ended, normal service resumed the following morning. The incident contributed to the NCSC’s warning that DDoS attacks are no longer merely symbolic but represent a growing, costly threat to organisations dependent on online availability, especially given the low cost to attackers compared with the defensive resources required. No further details about legal proceedings or long‑term changes to NRC’s infrastructure were provided in the source material.