The Department of Justice shut down all internet connections on Friday morning after a serious security threat. Analysis showed that hackers had probably exploited a vulnerability in Citrix NetScaler, also known as Citrix Bleed 2.
The problem was found when the National Cyber Security Center (NCSC) identified a potential security breach in the OM’s IT environment. After thorough analysis, the OM concluded that there was reason “to assume that this potential vulnerability had actually been exploited.”
The seriousness of the situation led to a crisis meeting on Thursday. As an immediate measure, all internet connections were shut down on Friday morning. Remote working is no longer possible. Employees can still work at the offices, but without internet access.
The consequences for daily operations are considerable. Public prosecutors with court hearings scheduled for Friday were advised in advance to download the necessary documents, as access to digital files during hearings could not be guaranteed.
Vulnerability in Citrix NetScaler
In this case, the Public Prosecution Service is dealing with Citrix Bleed 2. This flaw enables attackers to hijack user sessions by extracting session tokens from the memory of a vulnerable device. Citrix Bleed 2 is very similar to an older flaw from 2023, which criminals used in attacks on government institutions and was exploited by ransomware groups.
Citrix NetScaler is used for application delivery and security. It makes applications available. In the case of the Public Prosecution Service, it could be used, for example, for videos on the website that are necessary for assessing legal cases.
Previous warnings and precedents
The National Cyber Security Center had warned about this vulnerability earlier, both in May and in early July. At the time, the security agency said that “malicious actors could exploit the vulnerability to gain unauthorized access to certain parts of the system.”
At the end of March, the Public Prosecution Service also went offline due to a malfunction, initially ruling out the possibility of an external intrusion. However, it later turned out that the disruption was caused internally.
The current situation appears to be more serious, as there are now actual indications that a security breach has been exploited. The Public Prosecution Service has not yet announced when the systems will be fully operational again.