Cyber Incident Victim: Royal Dirkzwager
Date:
Mar 2023
Location:
Netherlands
Summary
Royal Dirkzwager, a Dutch maritime logistics provider, suffered a ransomware attack by the Play group involving data theft of contracts and personal information from its servers. Operational systems remained unaffected, but the incident compounded employee distress amid recent bankruptcy and workforce reductions. The company engaged in negotiations with the attackers, notified the Dutch Data Protection Authority, and implemented alternative client service solutions while addressing the breach. The attack targeted infrastructure supporting maritime organizations and ship movement coordination, reflecting broader ransomware trends against critical logistics sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Royal Dirkzwager, a Netherlands-based maritime logistics company founded in 1872, experienced a ransomware attack attributed to the Play group around March 9, 2023. CEO Joan Blaas confirmed the incident publicly, stating that while operations remained unaffected, attackers exfiltrated data from servers containing contracts and personal information. The breach occurred following a turbulent period for the company, which had filed for bankruptcy in September 2022 before Blaas acquired it in October. The Play ransomware group listed Royal Dirkzwager on its leak site by March 13, corroborated by cybersecurity researcher Dominic Alvieri. Blaas engaged in negotiations with the threat actors and reported the incident to the Dutch Data Protection Authority. The company, which provides vessel tracking and port logistical data to over 800 maritime organizations, maintained its core services monitoring 200,000 annual ship movements despite the compromise. Employees endured significant emotional strain due to compounding challenges including bankruptcy-related layoffs, office relocation, and the cybersecurity incident. Technical recovery efforts were immediately initiated, with Blaas confirming active work to resolve system impacts and implementation of alternative client solutions to maintain service continuity.
The attack occurred amid heightened targeting of maritime infrastructure by ransomware groups. Industry precedents included the January 2023 attack against DNV’s ShipManager software, which disrupted technical certifications for 13,175 vessels and required full server environment reconstruction. European port operators faced escalated threats throughout early 2023, with the Play group simultaneously disrupting Oakland’s municipal systems and LockBit compromising Lisbon’s port operations in January. Historical parallels included the February 2022 cyberattacks against Oiltanking and Mabanaft, which forced force majeure declarations by crippling hydrocarbon loading systems across Antwerp, Amsterdam, and Terneuzen terminals. Royal Dirkzwager’s incident reflected persistent sector vulnerabilities despite differing operational impacts, as Expeditors International’s 2022 breach demonstrated prolonged global logistics disruptions from similar attacks. No forensic findings regarding Royal Dirkzwager’s infrastructure scope or attacker methodologies were disclosed, though the company prioritized server restoration and client communications throughout the response.