The Dutch Public Prosecution Service on Monday began phased restoration of its networks after a cyberattack last month forced the agency to take down its services offline.
The agency on Monday confirmed that hackers exploited a vulnerability in a Citrix device, but said that no data was stolen or manipulated in the breach. It took systems offline on July 17 following disclosures of vulnerabilities in Citrix NetScaler ADC and Gateway appliances.,
Dutch media reported in late July that "well-informed sources" believe Russia is behind the incident. Cybersecurity experts told newspaper Algemeen Dagblad that Russian hackers were likely gathering intelligence from the prosecution office or intending to disrupt a close Western ally of Ukraine. The Netherlands has been a strong supporter of Kyiv following Moscow's 2022 invasion of Ukraine, including by transferring F-16 airplanes and training the Ukraine military. Only on Monday it pledged 500 million euros to a NATO fund purchasing U.S. munitions for Ukraine, including Patriot missile intercept systems.
A July warning from the Dutch National Cyber Security Center that hackers were targeting vulnerabilities known as Citrix Bleed 2 prompted the prosecution service to isolate its internal network. The vulnerability, tracked as CVE-2025-5777, allows attackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment (see: Attackers Actively Exploit 'Citrix Bleed 2' Vulnerability).
Netherlands intelligence agencies earlier this year fingerprinted Moscow hackers for September 2024 breach resulting in the theft of work-related contact details of all Dutch police officers. Dutch agencies said the hackers behind the police incident belonged to a new cluster of threat activity they dubbed Laundry Bear. The group shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28, the government said (see: NATO Countries Targeted By New Russian Espionage Group).
Citrix released patches for Citrix Bleed 2 on June 17. The Dutch Public Prosecution Service would not be the only organization to have succumbed to the flaw. Cybersecurity company Imperva in July reported observing more than 10 million attack attempts, although many of those were opportunistic and automated. Nor would Russia be the only nation-state to take advantage of the flaw. GreyNoise last month said it observed early exploitation attempts appearing to originate from China in what appeared to be targeted attacks.
Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel.
The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure."
LulzSec Black, named after the notorious hacktivist collective that committed a string of high-profile hits in 2011, claims to be a group of "Palestinian hackers." Previous attacks tied to the group include disruptions targeting Israel, as well as countries that support Israel, including France and Cyprus.
Threat intelligence firm Resecurity said the group's nuclear claims vary from being dramatically overstated to outright lies.
"This activity is related to the 'pseudo-hacktivist' activities by Iran" designed to provoke fear, uncertainty and doubt, Resecurity told Information Security Media Group. "Many of their statements are overstatements, having no connection to reality. For example, they clearly do not have '80 databases' or even 5.2 GB of data."
LulzSec Black's claims arrive amidst U.S. government alerts of the "heightened threat environment" facing critical infrastructure networks and operational technology environments, following Israel launching missile strikes against Iran on June 13 (see: Infrastructure Operators Leaving Control Systems Exposed).
While the resulting regional war appears to now be moderated by a fragile ceasefire, many governments are still bracing for reprisals (see: Israel-Iran Ceasefire Holding Despite Fears of Cyberattacks).
What LulzSec Black may actually possess is identity and contact information for nuclear specialists, likely stolen from third-party HR firms and recruitment websites such as the CATS Software applicant tracking system and recruitment software, Resecurity said. This can be seen in the long list of various job titles - "security auditor, heavy water unit," "nuclear engineer, analysis lab, tritium gas," and "radiation officer, fuel fabrication, uranium dioxide" - in a sample of dumped data.
In that data, tags such as "Top Secret," appear, which Resecurity said likely either reflect clearances held by job candidates, or were added by the hackers themselves "so it will look like it is from some nuclear energy facility."
A suspected Chinese hacking campaign that began in November is exploiting a vulnerability in Palo Alto firewalls to install a custom malware backdoor for espionage.
CDK Global, the auto dealership software solutions firm that supplies services to an estimated 15,000 dealerships in the U.S. and Canada, said it has begun the
The U.S. Department of Justice in a lawsuit filed Thursday is accusing Apple of discarding user security and privacy protections as part of a broader effort to
The fallout from the Clop cybercrime group's mass theft of data from MOVEit servers continues to increase. Colorado's state healthcare agency alone is now notifying
Since Hydra Market Got Shuttered by Police, Russian Rivals Battle for Market Share.
Competition between Russian-language darknet markets remains fierce following the takedown of market leader Hydra last April by a multinational law enforcement operation.
Researchers have found that Kinsing malware gained access to Kubernetes servers by exploiting misconfigured and exposed PostgreSQL servers. The threat actors gained
California's largest public school district and the second-largest in the U.S. is undergoing a ransomware attack. The attack has disrupted the district's email
School is out for more than 3,000 students of a suburban Detroit district undergoing its second day of forensics analysis following an online attack. Students have
The broadcast of the Football World Cup 2022 qualifier game between Wales and Ukraine on Sunday was interrupted in Ukraine by a cyberattack that targeted OLL.TV...
