Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Nato

A Northwave Cyber Threat
Intelligence Situation Report.

As part of our risk-based, intelligence-driven approach, our Cyber Threat Intelligence (CTI) team continuously monitors current and evolving threats. Part of this process is assessing how our clients’ threat landscape is impacted by geopolitical, technological, socioeconomic and regulatory developments, which we call ‘drivers’. To inform our clients, our CTI reports offer our insights into evolving threats and emerging events, their impact, and necessary response measures.

In this report we update you on the upcoming NATO Summit in The Hague, this June 24th and 25th, and brief you on what the cyber security implications are for businesses and organisations in The Netherlands/Europe.

Key takeaways

NATO Summit 2025 in The Hague poses a high cyber risk to Dutch and European organisations, especially in logistics, IT, hospitality and infrastructure, due to likely state-sponsored attacks and espionage.

  • Russia and China are highly likely to deploy hybrid tactics including:
    • Russia: DDoS, sabotage, phishing, disinformation, and espionage campaigns targeting the Summit and surrounding services.
    • China: Phishing, likely limited disinformation, and espionage campaigns targeting NATO to improve its intelligence position towards the war in Ukraine
  • Dutch organisations may face collateral damage such as ransomware, operational disruption, reputational harm, and data breaches, even without direct Summit involvement.
  • Northwave is actively engaged in defensive preparations through intelligence sharing, SOC updates, and coordination with national security partners.
  • Organisations should act now by assessing their exposure, hardening defences, training staff, review and harden access, monitoring threats, and reviewing incident response plans to mitigate risks.

What is happening?

On 24 and 25 June 2025, the Netherlands will host the NATO Summit in The Hague, its first time since NATO’s founding. This event will attract significant geopolitical attention, making it a high-risk target for cyberattacks, nation-state espionage, and disinformation campaigns. Dutch organisations, particularly in logistics, IT, hospitality, critical infrastructure, and public services, face elevated cyber threat levels from hostile nation-state actors and (affiliated) criminal groups. Even European businesses without direct Summit ties may suffer collateral damage due to ransomware, phishing, or infrastructure disruption.

If they so choose Russia and (to a lesser extent) China are likely to deploy a blend of hybrid tactics: DDoS attacks, espionage operations, critical infrastructure sabotage, and influence operations. Precedents from previous Summits and Russia’s ongoing hybrid campaigns in Europe suggest a tangible risk of spillover effects on Dutch commercial and civil affairs.

Strategic Context: The NATO Summit and Its Organisational Impact

The NATO 2025 Summit is set to bring together heads of state, military leaders, and international media in The Hague, with a strategic focus on hybrid threats, the defence of Europe’s eastern flank, and bolstering resilience in digital warfare. This high-profile gathering marks a significant moment for transatlantic cooperation and security coordination in an era of rapidly evolving geopolitical and technological challenges.

The logistical scale of the event is unprecedented. According to the Dutch National Coordinator for Security and Counterterrorism (NCTV), it will represent the largest security operation ever conducted in the Netherlands. The Summit will involve a vast array of international delegations, military escorts, media networks, and digital infrastructure.

In parallel, several public forums will be co-hosted, which are expected to draw both peaceful protests and the attention of hacktivist groups.

For Dutch stakeholders, the Summit introduces both opportunities and risks. There will be a marked increase in digital dependency, particularly on reliable cloud services and connectivity infrastructure.

At the same time, there is an elevated risk for service providers engaged in sectors such as hospitality, transport, event logistics, and digital communications. Organisations operating in these domains may face operational and reputational risks if they become inadvertently involved in targeted cyber operations or suffer collateral impacts from cyber incidents linked to the Summit.

Anticipated Cyber Threats

Considering the current threat landscape, driven by increasing geopolitical tensions between Russia and NATO, we expect an increase of nation-state related threats surrounding the Summit. These include:

 

1. Disruptive Hybrid Operations

Russia views the Summit as an opportunity to challenge NATO’s cohesion. Expect:
  • DDoS Campaigns: Groups like NoName057(16) are likely to target Summit related infrastructure, municipal portals, transport systems, or media outlets. Their DDoSia toolkit enables mass volunteer-based attacks.
  • Attempts to perform Disruptive attacks: Russian sabotage operations have previously impacted pipelines and subsea cables. Potential targets: Dutch ports, energy grids, or mobile networks may face OT malware, causing downstream business paralysis.

Potential Business Impact:
Supply chain delays, disruptions in transport (traffic, airports, public transport, etc.), communication outages, power failures, customer service breakdowns.

 

2. State-Backed Espionage

  • Both Russia and China have track records of exploiting high-profile international events for intelligence purposes. Examples of which:
    Russian Cozy Bear (APT29): April 2025: European diplomats actively targeted by phishing campaign; promising wine tasting, dropping malware backdoors
  • Russian Fancy Bear (APT28): Known for spoofing NATO communications to phish credentials from contractors or event staff. Likely to impersonate Summit organizers or logistics coordinators.
  • Chinese Judgment Panda (APT31): Targeting IT service providers to pivot into Dutch defence or tech supply chains. Intellectual property theft is probable.
  • I-Soon (China state-affiliated hacking contractor): Internal chat communications revealed they have
    targeted NATO and at least 14 governments in the past already.

Potential Business Impact:
 Loss of sensitive data, strategic disadvantage, insider threat risks.

 

3. Phishing and Social Engineering

You may expect:
  • NATO Summit-Themed Lures: e.g. Russian group RomCom (Storm-0978) is distributing spoofed NATO documents. These appear as urgent agendas, contracts, or vendor solicitations.
  • Finance Scams: Disinformation-enabled scams may trick staff into fake payments or document leaks.

Potential Business Impact:
Financial loss, malware infections, reputational harm from leaked communications

 

4. Disinformation and Polarisation Campaigns

Russia uses AI-generated deepfakes and narrative manipulation on social media and (alternative) news sources to:
  • Undermine NATO legitimacy.
  • Fuel public unrest (e.g., fake news on Summit outcomes).
  • Tarnish the image of Dutch firms seen as cooperating with NATO.

Potential Business Impact:
 Brand damage, risk of protesters, risk of backdoors through social engineering.

5. Collateral Cybercrime


  • Ransomware groups may operate under Russian protection, disrupting unrelated Dutch firms:
    Ransomware used “as-a-smokescreen”: Used to distract from ongoing espionage or OT attacks.
  • Weaponised IoT: Compromised Dutch IoT devices could be part of global DDoS botnets or ORB networks.
     

Potential Business Impact:
 System lockouts, recovery costs, downtime, reputational backlash.

Stars

Our approach

Northwave coordinates closely with national partners, including the NCSC, Police, Gemeente Den Haag and intelligence services, to ensure robust security around critical events such as the upcoming NATO Summit. Next to this, we collaborate with private partners to bolster our threat intelligence capabilities, enabling our analysts to produce high-quality assessments.

In preparation, we have participated in several high-level security briefings focused on emerging threats and protective strategies related to the Summit. Alongside these efforts, we have actively gathered intelligence from both open and classified sources to enrich our situational awareness and threat landscape understanding.

As part of a dedicated intelligence exchange group for the NATO Summit, we collaborate on sharing Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) to fortify defences against potential Nation State actors. This intelligence is directly integrated into our SOC operations, our monitoring baselines have been updated with these latest IOCs, and our analysts are applying relevant TTPs to heighten detection capabilities during this elevated threat period.

Northwave will issue additional threat intelligence updates when deemed relevant.

To further strengthen our response readiness, Northwave is prepared to allocate additional resources as needed, whether to manage increased workload or to swiftly respond to any incidents that may arise in connection with the Summit.

What can you do?

To navigate this threat environment, organisations should implement the following proactive measures:

1. Situational Awareness & Threat Intelligence

  • Actively monitor updates from NCTV, NCSC-NL, and trusted security providers like Northwave.
  • Disseminate tailored threat bulletins internally to technical and executive teams.

2. Technical Hardening

  • Validate DDoS mitigation capabilities with upstream ISPs.
  • Segment OT from IT environments, especially in logistics, telecommunications, energy, and transport.
  • Reduce your attack surface, by removing obsolete assets, limiting access to assets, making sure all assets are patched; especially VPNs, remote access tools, and IoT devices.

3. Phishing Defence & Staff Training

  • Run NATO Summit-specific phishing simulations in June.
  • Warn staff about impersonation tactics and fake Summit communications.
  • Verify all payment requests through offline or multi-factor processes.

4. Data Governance & Access Control

  • Reconfirm access rights to sensitive systems, apply the principle of least privilege.
  • Lock down access to NATO Summit-related files and systems, especially in third-party tools.

5. Crisis Response Planning

  • Review and rehearse ransomware and DDoS incident playbooks.
  • Identify critical third parties and validate their incident response readiness.
  • Prepare rapid-response communications in case of a breach or disinformation campaign.
Stars-2

Other Resources:

English:

https://www.nato.int/cps/en/natohq/topics_50115.htm

https://www.government.nl/topics/nato-summit-2025

https://www.government.nl/topics/nato-summit-2025/security-nato-summit-2025

Dutch:

https://www.rijksoverheid.nl/onderwerpen/navo-top-2025

https://www.denhaag.nl/nl/stad-van-vrede-en-recht/navo-top-2025-in-den-haag/

https://www.nctv.nl/actueel/nieuws/2025/05/06/tientallen-organisaties-werken-samen-aan-veilige-navo-top

https://www.ncsc.nl/wat-kun-je-zelf-doen/navo-top


If you have any questions, please reach out to your Northwave contact person.

Need help now?

Call day or night: 00800 1744 0000

We are here for you

 

.