Cyber Incident Victim: Gemeente Voorschoten en Wassenaar
Date:
Mar 2024
Location:
Netherlands
Summary
A cyberattack targeting the shared ICT infrastructure of two Dutch municipalities was successfully mitigated after systems were shut down upon detecting abnormal load spikes. A crisis team coordinated with national cybersecurity authorities and law enforcement. Primary operational impact restricted officials to on-site work temporarily, though public services remained unaffected and functionality was largely restored within days. While the attack's targeted nature remains under investigation, security enhancements including network monitoring and restricted foreign application access were implemented. Financial consequences are currently unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 29, 2024, shortly before the Easter weekend, the shared ICT systems of the municipalities of Voorschoten and Wassenaar experienced a cyberattack. At the end of the morning, administrators detected a significant spike in network traffic indicative of an attack, prompting immediate shutdown of all systems to contain the threat. This action successfully prevented further compromise. Municipal authorities activated a crisis team following the incident and initiated contact with both the Association of Netherlands Municipalities' Information Security Service (IBD) and the National Cybersecurity Center (NCSC). On the NCSC's advisory recommendation, law enforcement was also engaged to support the response. While the attack disrupted remote work capabilities for municipal employees, onsite operations at town halls remained fully functional throughout the incident. Residents experienced no service interruptions, as public-facing systems continued operating normally. Restoration efforts proceeded continuously over the weekend, with systems largely normalized by Tuesday, April 2.
The attack exclusively impacted internal administrative functions, preventing officials from accessing applications remotely while leaving citizen services unaffected. Both municipalities maintain a shared ICT infrastructure despite having dissolved their joint civil service organizational structure years prior. Investigative authorities have not yet determined whether the incident constituted a targeted attack or indiscriminate malicious activity. As part of post-incident hardening measures, municipal administrators implemented security adjustments across multiple infrastructure points, enhanced network monitoring protocols, and restricted access to foreign-based applications to bolster system integrity. Financial repercussions from the attack remain unquantified as of the latest reporting. Technical and criminal investigations by relevant authorities remain ongoing to establish attribution and attack methodology.