The Dutch Public Prosecution Service (part of the Department of Justice) shut down all internet connections on Friday morning after a serious security threat. Analysis showed that hackers had probably exploited a vulnerability in Citrix NetScaler, also known as Citrix Bleed 2.
Update 7/21
Today, Dutch news organization NOS reports that the Public Prosecution Service may remain disconnected from the internet for weeks. This means, among other things, that employees cannot be reached by email and cannot log in remotely. This has far-reaching consequences, as it also means that access to files will be (severely) restricted. A spokesperson for the Public Prosecution Service told the NOS that public prosecutors can read files, but cannot edit or print them. The impact this will have on court cases is not yet known.
Original message from July 18 below:
The problem came to light when the National Cyber Security Center (NCSC) identified a potential security breach in the Public Prosecution Service’s IT environment. After thorough analysis, the Public Prosecution Service concluded that there was reason “to believe that this potential vulnerability had actually been exploited.”
The seriousness of the situation led to a crisis meeting on Thursday. As an immediate measure, all internet connections were shut down on Friday morning. Remote working is no longer possible. Employees can still work at the offices, but without internet access.
The consequences for daily operations are considerable. Public prosecutors with court hearings scheduled for Friday were advised in advance to download the necessary documents, as access to digital files during hearings could not be guaranteed.
Vulnerability in Citrix NetScaler
In this case, the Public Prosecution Service is dealing with Citrix Bleed 2. This flaw allows attackers to take over user sessions by extracting session tokens from the memory of a vulnerable device. Citrix Bleed 2 is very similar to an older flaw from 2023, which criminals used in attacks on government institutions and was exploited by ransomware groups.
Citrix NetScaler is used for application delivery and security. It makes applications available. In the case of the Public Prosecution Service, it could be used, for example, for videos on the website that are needed for assessing legal cases.
Previous warnings and precedents
The National Cyber Security Center warned about this vulnerability earlier, both last month and in early July. At the time, the security agency said that “malicious actors could exploit the vulnerability to gain unauthorized access to certain parts of the system.”
At the end of March, the Public Prosecution Service also went offline due to a malfunction, initially ruling out the possibility of an external intrusion. However, it later turned out that the disruption was caused internally.
The current situation appears to be more serious, as there are now actual indications that a security breach has been exploited. The Public Prosecution Service has not yet announced when the systems will be fully operational again.