Cyber Incident Victim: Consejo General del Poder Judicial (CGPJ) / Punto Neutro Judicial (PNJ)
Date:
Sep 2022
Location:
Spain
Summary
The judicial telecommunications network PNJ was compromised in a cyberattack targeting Spanish public administration networks, serving as an entry point to access other public institutions without compromising judicial data or court-held information. Security measures were immediately implemented to contain and neutralize the attack, with coordination established between national cybersecurity response centers and data protection authorities for investigation and mitigation. The incident prompted formal notifications to relevant oversight bodies regarding the breach of institutional access pathways.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Consejo General del Poder Judicial (CGPJ) detected a cyberattack affecting Spain’s public administration networks during the second half of October 2022, which impacted the Punto Neutro Judicial (PNJ). The PNJ, a centralized telecommunications network managed by the CGPJ, facilitates secure communications between judicial bodies and state institutions such as the Tax Agency, National Police, Public Employment Service, and Social Security. Attackers exploited the PNJ to gain access to other public institutions, though investigations confirmed no compromise of judicial procedure data or other sensitive information held by courts and tribunals. The CGPJ implemented immediate cybersecurity measures to contain and neutralize the attack upon discovery. Coordination began with Spain’s General State Administration Cybersecurity Operations Center (COCS) and the National Cryptologic Center (CCN-CERT) to investigate the incident and deploy mitigation strategies. The PNJ’s design restricts external access, allowing connected institutions to interact only via their internal networks, but this did not prevent its misuse as an entry point for横向 movement.
The CGPJ formally notified the Spanish Data Protection Agency (AEPD) and its internal Data Protection Supervision and Control Directorate, adhering to regulatory protocols. No evidence indicated unauthorized access to judicial records or case management systems, limiting the breach’s direct operational impact on courts. The attack’s primary consequence was the disruption of interagency communications via the PNJ, though specific downtime durations or recovery timelines were not disclosed. Response efforts focused on forensic analysis, threat containment, and reinforcing network defenses, with no attribution or motive identified in the available reporting. The incident underscored the PNJ’s role as critical infrastructure for judicial-administrative interoperability and triggered cross-agency cybersecurity coordination to address systemic vulnerabilities in public sector networks.