Cyber Incident Victim: European Data Protection Board

In late August 2020, multiple European internet service providers experienced distributed denial-of-service (DDoS) attacks targeting their DNS infrastructure over a one-week period. The attacks affected ISPs across Belgium, France, and the Netherlands, including Belgium's EDP, France's Bouygues Télécom and K-net, and the Netherlands' Caiway and Delta. Attack durations did not exceed 24 hours per incident, though service disruptions occurred during active attack windows. The Dutch nonprofit NBIP, representing national ISPs, characterized the attacks as employing DNS amplification and LDAP attack vectors, with some attacks reaching volumes of 300 gigabits per second. Mitigation measures were implemented successfully by the affected providers, restoring normal operations within a day for each incident. The timing coincided with separate reports of DDoS extortion campaigns against financial institutions, though investigators found no confirmed connection between these events at the time of initial reporting on September 3, 2020.

On September 4, 2020, Dutch cybersecurity authorities from the NCSC confirmed that Bitcoin extortion demands accompanied some of the DDoS attacks against Dutch ISPs, though attribution remained unverified. The attacks specifically disrupted DNS services, causing temporary outages for customers of the targeted providers during peak attack periods. Concurrently, a separate CenturyLink network outage occurred due to a misconfigured Flowspec rule implemented during their response to an unrelated DDoS incident, though this technical failure was not directly connected to the European ISP attacks. No additional technical specifics regarding attack origins, perpetrator identities, or exact financial demands were disclosed in the available reporting. Service restoration timelines varied by provider but remained within 24 hours across all confirmed cases.