At least three Dutch banks and the Dutch tax office reported on Monday suffering coordinated DDoS attacks against their respective infrastructures.
The DDoS attack on ABN AMRO started on Saturday, per the bank's statement, while the other two banks were hit on Monday.
Also on Monday, Belastingdienst —the Dutch Taxation Authority— also admitted suffering a DDoS attack that prevented users from logging into its web portal and filing tax-related documents.
Citing sources, Dutch security researcher Rickey Gevers claimed the attacks reached a peak of 40 Gbps in volume.
Hey fellow DFIR people. Jan 25th the story broke the Dutch Intelligence Agency AIVD hacked Cozy Bear. At this moment critical Dutch infra is under (40Gbps) DDoS attack. Has anyone seen infected clients/network traffic performing a DDoS attack on Dutch infra? Please let me know.— Rickey Gevers (@UID_) January 29, 2018
He also said the attacks came mainly from IP addresses associated with home routers. A report by NL Times citing sources with antivirus vendor ESET claimed some of the DDoS attacks were also carried out using the Zbot malware, a known (desktop-based) banking trojan based on the old ZeuS banking trojan.
The same report claimed the command and control servers for this botnet were based in Russia.
The Dutch media's obsession with Russia is not accidental. Last week, Dutch newspaper Volkskrant and TV station NOS published a report claiming that the country's AIVD intelligence service compromised the computer of a hacker part of Russian-based cyber-espionage group Cozy Bear (also known as APT29).
The report claim AIVD agents spied on the cyber-espionage unit since 2014 and observed how Russian intelligence services hacked into DNC servers during the 2016 US Presidential election.
Journalists said AIVD identified individuals part of the Cozy Bear cyber-espionage unit and even watched Russian hackers through the webcams on the compromised PC.
Many Dutch officials now fear the DDoS attacks are just the first of the many Russian cyber-attacks that will come as retaliation for last week's revelations.
Something similar happened in 2015 when the Dutch Safety Board (DSB) was attacked by another Russian cyber-espionage unit —Fancy Bear (aka APT28). Those attacks came as Dutch authorities were investigating and later issued a report blaming the crash of flight MH17 in Ukraine on a military missile fired at the aircraft by pro-Russian rebels.