Cyber Incident Victim: DigiD
Date:
Jan 2018
Location:
Netherlands
Summary
Multiple Dutch banks and the national tax authority experienced disruptive DDoS attacks targeting their online services, temporarily disabling mobile and internet banking platforms as well as government websites. The incidents caused intermittent outages across financial institutions' digital channels and briefly affected the tax office's web presence, with related online systems like DigiD also reporting disruptions. While the attacks coincided with revelations about Dutch intelligence operations against the Russia-linked Cozy Bear hacking group, cybersecurity experts noted the timing as the sole connecting factor without confirming a direct relationship. All impacted organizations confirmed no unauthorized access to customer data occurred during the network disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between January 27 and 29, 2018, multiple Dutch financial institutions and government agencies experienced distributed denial-of-service (DDoS) attacks disrupting their online services. ABN Amro Bank reported three separate DDoS incidents occurring on January 27 and 28, each lasting several hours and temporarily disabling its online and mobile banking platforms. Rabobank confirmed similar attacks through a public tweet on January 29, while ING Bank disclosed a DDoS incident on January 28. All three banks emphasized their internal systems remained secure with no unauthorized access to customer accounts or sensitive data. The Dutch tax authority's website and digital services were also targeted on January 29, resulting in a 5-10 minute outage. Subsequently, DigiD—the national online authentication system used for government services—experienced a DDoS attack, though specific downtime details were not provided. Each organization publicly acknowledged the incidents through official statements and social media updates, assuring users of service restoration without data compromise.
These cyberattacks coincided with Dutch media reports revealing the General Intelligence and Security Service (AIVD) had surveilled the Russia-linked hacking group Cozy Bear (APT29) in 2014. Investigations by outlets De Volkskrant and Nieuwsuur indicated AIVD operatives accessed security cameras monitoring Cozy Bear’s workspace in a Moscow university building near Red Square. Cybersecurity experts, including analyst Rickey Gevers, noted the temporal proximity between the DDoS attacks and the intelligence disclosure but emphasized no forensic evidence confirmed a retaliatory link to Cozy Bear. The attacks exclusively degraded public-facing services through traffic overload, causing operational interruptions without data exfiltration or system breaches. Financial institutions maintained customer communications throughout the disruptions, while government agencies restored DigiD and tax portals promptly. No additional threat actor claims or technical indicators were disclosed in available reporting.