Cyber Incident Victim: Groningen Seaports
Date:
Jun 2023
Location:
Netherlands
Summary
A pro-Russian hacktivist group known as NoName057(16) executed DDoS attacks against Groningen Seaports and other Dutch port authorities. The group claimed the attack was a response to Dutch plans to purchase tanks for Ukraine. The incident resulted in the victim's public-facing website being offline for an extended period, specifically over a weekend which coincided with a major public open day event. Internal operational systems for shipping logistics were confirmed to be unaffected and ran on separate infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 6, 2023, pro-Russian cybercriminals launched a series of distributed denial-of-service (DDoS) attacks against the websites of several major Dutch port authorities. The group known as NoName057(16) claimed responsibility for these attacks. The group's stated motivation was a direct response to the Netherlands' expressed intention to purchase Swiss-made Leopard 1 tanks for subsequent delivery to Ukraine in support of its defense against the Russian invasion. A spokesperson for the group explicitly referenced this motive in a message posted to their Telegram channel, stating, "Nederland wil Leopard 1's kopen om te leveren aan Oekraïne." The attacks targeted the port authorities of Groningen, Amsterdam, Rotterdam, and Den Helder, all of which confirmed they were affected by the incident.
The initial impact occurred on Tuesday, June 6, 2023. The websites for the port authorities of Rotterdam, Amsterdam, and Den Helder were rendered unreachable for a period of several hours as a direct result of the DDoS onslaught. The attack against the Groningen Seaports website began around the same time but persisted for a significantly longer duration. The website for Groningen Seaports remained offline for the entire subsequent weekend, including Saturday, June 10th. This extended outage was particularly ill-timed for the organization, as it coincided with a major public open day event they were hosting that Saturday, hindering their public communication efforts.
According to cybersecurity researcher Tom Hegel of SentinelOne, who has monitored the group, NoName057(16) is a small collective of hacktivists that formed shortly after the full-scale Russian invasion of Ukraine. The group primarily employs DDoS attacks as its method of operation. Hegel characterized the tools used by the group as "amateuristic" but noted they are nevertheless effective enough to achieve the primary goals of taking websites offline and, crucially, generating attention for their cause. The group's activities are a form of hacktivism, merging hacking techniques with political activism to advance a pro-Russian agenda. Their typical targets include the banking sector, private companies supplying the defense industry, and logistical entities within NATO member states, with prior attacks noted against the Danish central bank and a Polish government website in the previous year.
The technical investigation into the attacks was conducted by the affected port authorities. The Port of Rotterdam Authority confirmed its own assessment that a Russian group was behind the incident. Their analysis further identified that the malicious traffic constituting the DDoS attacks originated from IP addresses based in both Russia and Serbia. This geographic sourcing of the attack infrastructure is consistent with the group's claimed allegiance and objectives.
The scope of the incident was contained exclusively to the public-facing websites of the targeted ports. Internal operational technology systems critical for the core business of ship handling and port logistics were completely unaffected. These critical systems operate on separate servers and infrastructure entirely isolated from the web servers hosting the corporate sites. A spokesperson for the Port of Rotterdam explicitly confirmed that systems used for vessel handling were never in any danger due to this segregation. The confirmed impact was therefore limited to the temporary unavailability of an informational portal used for public communication.
The response actions taken by the organizations were focused on mitigating the website outages and restoring normal service. While specific technical remediation steps were not detailed in public statements, the return to functionality for the websites of Rotterdam, Amsterdam, and Den Helder within hours, and eventually for Groningen after the weekend, indicates that incident response teams successfully implemented countermeasures to absorb or block the malicious traffic. The primary consequence of the incident was a temporary disruption to the public information channels of the port authorities, with the most significant operational inconvenience experienced by Groningen Seaports during its open day. No financial losses, data breaches, or compromises to safety-critical systems were reported as a result of these attacks. The incident served to highlight the use of DDoS attacks by politically motivated hacktivist groups as a tool for causing disruption and garnering publicity in support of state-level geopolitical conflicts.