Cyber resilience: How to prevent a Hack of The Hague

Hack The Hague. Image: Holland Park Media

International conflict and humanitarian disasters have combined to make The Hague a growing target for cybercriminals. But the Dutch city is now fighting back against the hackers. Chris Price reports.

Regarded as the international city of peace and justice for the last 100 years, The Hague in The Netherlands is home to the Dutch parliament (the Netherlands is one of the few countries to have its parliament outside its capital city), as well as some of the world’s most important crime-fighting and humanitarian organisations.

These include the European Union Agency for Law Enforcement Cooperation, better known as Europol, The International Court of Justice (ICJ) and the International Criminal Court (ICC). Dozens of individuals have been indicted by the ICC with an arrest warrant issued for Russian leader Vladimir Putin earlier this year for child abductions that have taken place during Russia’s invasion of Ukraine.

Over 200 NGOs (Non-Governmental Organisations) are also located in The Hague including UNICEF Netherlands, the agency of the United Nations responsible for providing humanitarian aid to children worldwide and GHRD (Global Human Rights Defence).

However, while housing all of these organisations in one city is unquestionably good for humanity, it also inevitably attracts ‘bad actors’ who either want to exploit the world’s tragedies for their own financial gain or challenge the international rule of law for their own politically motivated reasons. And while years ago this may have resulted in criminal activity on the streets of The Hague, increasingly it is happening in the virtual or cyber world.

CyberPeace Institute

Speaking to Tech Digest at last week’s cybersecurity week in The Hague, Stéphane Duguin, CEO of the Geneva-based CyberPeace Institute said that since the invasion of Ukraine in 2022 ‘more than 50 countries have been impacted by cyber attacks,’ not just Russia and the Ukraine.

NGOs, in particular, are targeted for a number of reasons. One is that they tend not to have advanced cybersecurity systems or even personnel in place (most don’t even have their own Chief Information Security Officer or CISO). Another is that “as soon as there is a crisis or a disaster, NGOs are suddenly very rich, because of all the donations,” says Mr Duguin.

Indeed, it’s just at the point that donations come in to the NGOs that cybercriminals will often launch a ransomware attack in order to maximise any potential reward for themselves. Mr Duguin cites one tragic example of Roots of Peace, an NGO transforming mines to vines – in other words removing landmines and replacing with sustainable agricultural farmland. In January 2020, the organisation found itself the victim of a sophisticated cyberattack during which its emails to a bank were hacked and an unauthorised amount of $500,000 was transferred to an account in China.

Exactly two years later, in January 2020, the ICRC (International Committee of the Red Cross) was also targeted in a sophisticated cyber attack which saw the personal data of 515,000 people stolen, including names, locations and contact information. Those affected included missing people and their families, detainees and other people receiving services from the International Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration. “When the ICRC was hit, it was a wakeup call for the whole community,” says the CyberPeace Institute’s Stéphane Duguin. “The logic was if the ICRC can be hit then so could my NGO.”

The International Committee of the Red Cross (ICRC) was most likely hacked by a state actor in January 2020

Nation-state actors

While often the cyberattack can be attributed to criminal gangs who simply want to extort a ransom from their victims, this isn’t always the case. For example, it’s likely that the ICRC was hacked by a nation-state actor (a Palo Alto Networks report from November 2021 linked the exploitation of the same vulnerability to a Chinese state-sponsored group, known as APT27).

The same is probably true of last month’s attack on The Hague-based International Criminal Court (ICC) given the nature of its role in handling sensitive information about war crimes. However, so far little has been publicly revealed about the attack or which state was behind it. Speaking to Tech Digest during last week’s ONE conference in The Hague, Director of the Netherlands’ NCSC (National Cyber Security Centre) Hans de Vries simply confirmed that it was working with the ICC on the issue. But he was unable to provide specific details about the attack, or whether it had yet been resolved. “We co-ordinated support after the ICC was hacked and I think they really appreciated our help,” said Mr de Vries.

In order to help the city deal with the rising threat of cybercrime, the CyberPeace Institute announced an initiative at The Hague’s ONE conference that will provide over 200 organisations access to free support from cybersecurity experts in order to make them more cyber-resilient. This includes access to hundreds of ethical hackers from the Netherlands’ DIVD academy as well as volunteers working for some of the CyberPeace Institute’s financial backers, including Mastercard, Microsoft, Ford Foundation and the William & Flora Hewlett Foundation.

Stephane Duguin, CEO of the CyberPeace Institute

Improving cyber resilience

Unlike the IT Army of Ukraine – a volunteer cyberwarfare organisation created to fight against digital intrusion into the country’s networks – the CyberPeace Institute focuses on defence, particularly improving the cyber resilience of organisations. According to CyberPeace Institute’s Mr Duguin it works more like a ‘matchmaking service’, matching the needs of the NGOs with volunteers who are vetted by their corporate sponsors.

Importantly, the volunteers are only exposed to ‘pre-cyber incident and post-incident missions’ and never have access to personal data. “The way we get companies to partner with us is through their CSR (corporate social responsibility) and ESG (environmental, social and corporate governance) objectives,” explains Mr Duguin. “It’s one way that many companies are able to secure and retain talent by saying to their CISO that as well as being able to secure our perimeter you can help organisations like Médecins Sans Frontières.” Currently there are around 700 volunteers to the CyberPeace Institute’s CyberPeace Builders Programme.

For Victor Gevers, CTO/Head of Research of the DIVD academy, which provides ethical hackers free of charge to the CyberPeace Institute, volunteering is particularly attractive to young people. “They want to learn the craft and contribute because it’s something they can put on their CV and on LinkedIn. In the Netherlands working as a volunteer at the DIVD academy has more value than a school diploma, at least as far as employers are concerned.”

Belgium-based company Senhive provides drone detection systems to help organisations combat the increasing number of cybersecurity attacks via drone

Cybersecurity week

With the rising threat of cybercrime targeting international organisations, it’s perhaps no surprise The Hague takes cybersecurity extremely seriously. Visiting the pretty Dutch city as a guest of The Hague and Partners during Cybersecurity Week, we witnessed several initiatives designed to improve the city’s cyber resilience.

Our tour began at the HSD (Hague Security Delta) campus, a sort of innovation cluster where businesses, government and knowledge institutes from across the Netherlands collaborate on security solutions. Currently, there are 34 different organisations within the building, including the IoT Forensic Lab of the Leiden University of Applied Sciences, and 275 partners in total.

At the IoT Forensic Lab, students look at the security of a range of smart devices (such as smart kettles, toothbrushes and speakers) as well as examining the data they provide that can be used in criminal cases. One of the big applications used is Hansken, a tool for providing Digital Forensics as a Service (DFaaS). This has already been deployed to examine digital material in hundreds of criminal cases in the Netherlands and abroad.

In addition to digital forensics, drone detection technology is also being increasingly used to combat cybercrime. “We are seeing an increasing number of drones landing on organisations’ rooftops to carry out attacks,” Thomas Petracca, CEO of Belgium-based aerospace company Senhive, told Tech Digest in a session during The Hague’s Cybersecurity week. One example he gave was of drones landing on a logistics centre roof that were successfully used to jam transmissions from the employees’ barcode scanners until a ransom was paid.

Using the company’s drone detectors in Antwerp for a month-long study, Senhive also detected ‘122 unique drones which were not authorised to fly around the city.’ Many of these were flying around at night when it’s likely they were being used for nefarious purposes, rather than filming the city’s scenery and some were flying at a height that could endanger aircraft. In most cases, Chinese-manufactured DJI drones are used for the attacks, but according to Senhive it’s not the drones themselves that are the problem but the ‘payload that is put on top of them.’ This often includes solar panels so the attack drones can carry on working for much longer than if they are simply battery-operated.

Hack the Hague

Finally, one innovative cybersecurity initiative that has been running since 2017 is ‘Hack The Hague’. Here members of the public are invited to the city’s municipal building (like a town hall in the UK) to find vulnerabilities within its IT systems. “A few years ago hackers found a critical problem in the Ricoh printer systems that was escalated to the National Cybersecurity Centre and to the manufacturers in Japan,” explains Jeroen Schipper, Chief Information Security Officer for The Hague municipality.

This year’s event saw 116 ethical hackers take up residence in the municipal building’s large atrium looking for vulnerabilities in the city’s IT networks. During the six-hour hacking competition, 65 unique vulnerability reports were submitted with six regarded as high-risk vulnerabilities. Another six were resolved during the day itself. In total, 12 prizes were awarded across four categories with prize money of up to €2,500 in each category, as well as a possible internship with one of the city’s vendors in Oslo.

And while, clearly, ethical hackers could earn much more working with private companies, Mr Schipper hoped that many of the participants did it because it was their civic duty. “What you see is that when hackers find something really great it becomes a status symbol,” he says. Certainly for the municipality it’s not always easy to justify its spend on cybersecurity, even the relatively modest prizes for the hacker event. “In total, we have €17,500 to spend on the event and if I speak to colleagues they say that’s a lot of money we could use to help families with,” explains Mr Schipper. “It’s always a struggle to get the money for cybersecurity until the next attack,” he admits.

However, what’s clear is that cyber security attacks on The Hague are becoming more frequent and intense, partly as a result of rising geopolitical tensions. “We had visits from the Ukraine’s President Zelensky in May and August and our vendor advised us 24 hours ahead that they could see there was an alert given by botnets to attack The Hague. Although we were able to see it coming, several organisations fell apart because of a co-ordinated DDoS (Distributed Denial of Service) attack,” he concludes.

Chris Price was a guest of The Hague & Partners.

Oct 9, 2023Chris Price

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.

Cookie	Duration	Description
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
disqus_unique	1 year	Set to record internal statistics for anonymous visitors.
uvc	1 year 1 month	addthis.com sets this cookie to determine the usage of addthis.com service.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
skimGUID	10 years	Set by Slimlinks, this cookie is a unique identifier provided to each device for log analysis to determine the number of unique users for various parts of skimresources.com.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
_ir	session	This is a Pinterest cookie that collects information on visitor behaviour on multiple websites. This information is used on the website, in order to optimize the relevance of advertisement.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Cookie	Duration	Description
wp_api	past	Description is currently not available.
wp_api_sec	past	Description is currently not available.
xtc	1 year 1 month	Description is currently not available.