Cyber Incident Victim: Port of Amsterdam
Date:
Jun 2023
Location:
Netherlands
Summary
A pro-Russian hacktivist group known as NoName057(16) executed DDoS attacks against the websites of multiple Dutch ports, causing extended outages. The group claimed the attack was a response to the Netherlands' intention to purchase tanks for Ukraine. The attacks, originating from Russian and Serbian IP addresses, rendered public-facing websites inaccessible for hours or days. The incident did not impact internal operational systems used for shipping logistics, limiting the damage to public information services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around Tuesday, June 6, 2023, the websites of several Dutch port operating companies began to experience significant disruptions due to a series of distributed denial-of-service (DDoS) attacks. The pro-Russian hacktivist group known as NoName057(16) claimed responsibility for these cyber incidents. The group's stated motive was a direct response to the Netherlands' stated intention to purchase Swiss-made Leopard 1 tanks for subsequent delivery to Ukraine. The group communicated this motive publicly, with one message stating, "Nederland wil Leopard 1's kopen om te leveren aan Oekraïne. Trouwens, volgens het ministerie van Defensie van de Russische Federatie zijn al 8 Leopard 1-tanks vernietigd. Breng de volgende maar!" This aligns with the group's established pattern of targeting entities in NATO member states that oppose Russian interests.
The attacks specifically targeted the public-facing websites of the port authorities in Groningen, Amsterdam, Rotterdam, and Den Helder. The initial impact was felt on Tuesday, with the websites for the port operators in Rotterdam, Amsterdam, and Den Helder becoming unreachable for a period of several hours. The technical nature of the attacks involved flooding the web servers with an overwhelming amount of traffic, a hallmark of DDoS campaigns. According to the Port of Rotterdam, these attacks were traced back to and originated from IP addresses based in Russia and Serbia. The group itself employs what security researchers characterize as amateurish tools, but their methods proved effective enough to achieve their primary goal of rendering the targeted websites inaccessible.
The scope and duration of the disruption varied by location. While the sites for Rotterdam, Amsterdam, and Den Helder were restored after a few hours of downtime, the website for the Groningen Seaports remained offline for a significantly longer period. It was inaccessible for the entire following weekend. This extended outage coincided with a major public open day event held by Groningen Seaports on Saturday, which the port's spokesperson noted was particularly inconvenient timing for the organization from a public communications standpoint.
The incident response from the affected port authorities was focused on assessment and public communication. The port operating companies each confirmed that they had been subjected to DDoS attacks. The Port of Rotterdam further confirmed that their analysis had identified a Russian group as the perpetrator. Crucially, all entities involved conducted investigations to determine the full extent of the intrusion and potential damage. These investigations concluded that the impact was strictly limited to the public websites. Internal operational technology (OT) systems and critical infrastructure used for the core business of shipping logistics, cargo handling, and vessel traffic management were housed on separate, isolated servers and were not compromised or affected in any way. A spokesperson for the Port of Rotterdam emphasized this point, stating that while the website is an important public information channel, the company's operations are not dependent on it.
The consequences of the attack were therefore confined to a temporary loss of public web presence and the associated inconvenience of being unable to communicate digitally with the public for a defined period. There was no disruption to the physical port operations, maritime traffic, or cargo movement in any of the affected harbors. No data breaches, financial losses, or system compromises were reported as a result of these attacks. The primary success for the NoName057(16) group was the achievement of publicity and the demonstration of their ability to temporarily disrupt the online presence of their chosen targets in support of their political motives. The group publicized their claimed success within their dedicated Telegram channels, a common practice for such hacktivist entities to gain notoriety and amplify their message.
Security researchers tracking the group describe NoName057(16) as a small collective of pro-Russian hacktivists that emerged shortly after the full-scale Russian invasion of Ukraine. Their activities primarily consist of DDoS attacks against targets they perceive as opposing Russia. Their typical targets include the banking sector, private companies that supply the defense industry, and logistical entities within NATO countries. This incident against the Dutch ports is consistent with their previous campaigns, which have included similar attacks against the website of the Danish central bank and a Polish government website in the preceding year. The group's actions are characterized as ideologically driven hacktivism rather than sophisticated cybercrime for financial gain.