Critical Infrastructure Security,
Cybercrime,
Fraud Management & Cybercrime
NCSC-NL Reports Citrix NetScaler Vulnerability Targeted Critical Infrastructure
The Dutch National Cyber Security Centre (NCSC-NL) has delivered a preliminary assessment indicating that a suspected Russian hacking campaign involved more than one group in the May breach of the nation’s law enforcement network. Investigators have determined that the exploitation of the Citrix NetScaler vulnerability also extended to critical infrastructure targets within the country.
In Related News: For those interested in the evolving landscape of cybersecurity threats, On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy offers valuable insights.
Announcing its findings, the NCSC-NL revealed on Monday that several critical infrastructure organizations fell victim to the attackers, who exploited the vulnerability tracked as CVE-2025-6543. According to NCSC, the attacks demonstrated the use of sophisticated methods by one or more actors, employing zero-day exploits and erasing traces to conceal their activities.
This news follows the phased restoration of networks for the Dutch Public Prosecution Service, which had to temporarily suspend key operations due to a cyberattack in May (refer to Dutch Prosecutors Recover From Suspected Russian Hack for more details).
The cyberattack significantly impacted the Dutch judicial system, along with the national police and other related agencies. The attackers exploited a Citrix memory overflow vulnerability in May, subsequently prompting a patch alert from both the NCSC and Citrix. In July, evidence surfaced suggesting multiple organizations had suffered breaches due to this vulnerability, leading the NCSC to initiate an official investigation.
Ongoing inquiries are focusing on the extent, nature, and impact of these attacks. The NCSC is collaborating with affected organizations, incident response teams, and cybersecurity partners to identify new indicators of compromise.
Although the NCSC-NL did not disclose specific details regarding the suspected hackers, an article in Dutch newspaper Algemeen Dagblad indicated that prominent sources believe Russian hackers are behind the incidents, potentially aiming to gather intelligence from the prosecution office.
This report from the Dutch government comes on the heels of heightened alerts from NATO regarding increased cyber threats from Moscow aimed at destabilizing Western support for Ukraine (see: France Says Russia Is Top Threat, Warns of ‘Open Warfare’).
Additionally, the Dutch intelligence service disclosed in May regarding a new Russian state-sponsored actor, referred to as Laundry Bear, that had previously infiltrated the contacts of Dutch police officers (see: Dutch Prosecutors Recover From Suspected Russian Hack).
