The Dutch Public Prosecution Service on Monday began phased restoration of its networks after a cyberattack last month forced the agency to take down its services offline.
The agency on Monday confirmed that hackers exploited a vulnerability in a Citrix device, but said that no data was stolen or manipulated in the breach. It took systems offline on July 17 following disclosures of vulnerabilities in Citrix NetScaler ADC and Gateway appliances.,
Dutch media reported in late July that "well-informed sources" believe Russia is behind the incident. Cybersecurity experts told newspaper Algemeen Dagblad that Russian hackers were likely gathering intelligence from the prosecution office or intending to disrupt a close Western ally of Ukraine. The Netherlands has been a strong supporter of Kyiv following Moscow's 2022 invasion of Ukraine, including by transferring F-16 airplanes and training the Ukraine military. Only on Monday it pledged 500 million euros to a NATO fund purchasing U.S. munitions for Ukraine, including Patriot missile intercept systems.
A July warning from the Dutch National Cyber Security Center that hackers were targeting vulnerabilities known as Citrix Bleed 2 prompted the prosecution service to isolate its internal network. The vulnerability, tracked as CVE-2025-5777, allows attackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment (see: Attackers Actively Exploit 'Citrix Bleed 2' Vulnerability).
Netherlands intelligence agencies earlier this year fingerprinted Moscow hackers for September 2024 breach resulting in the theft of work-related contact details of all Dutch police officers. Dutch agencies said the hackers behind the police incident belonged to a new cluster of threat activity they dubbed Laundry Bear. The group shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28, the government said (see: NATO Countries Targeted By New Russian Espionage Group).
Citrix released patches for Citrix Bleed 2 on June 17. The Dutch Public Prosecution Service would not be the only organization to have succumbed to the flaw. Cybersecurity company Imperva in July reported observing more than 10 million attack attempts, although many of those were opportunistic and automated. Nor would Russia be the only nation-state to take advantage of the flaw. GreyNoise last month said it observed early exploitation attempts appearing to originate from China in what appeared to be targeted attacks.
