RTV Noord Cyber Attack - Dutch Broadcaster Forced Off Air
Category:Incident Response & DFIR
RTV Noord, a regional Dutch broadcaster, suffered a cyber attack that disrupted broadcast operations and forced hosts to rely on physical media. Indicators suggest a ransomware-style event mapped to T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery). Attackers left a ransom note on internal systems, and the newsroom was reduced to limited communications via WhatsApp. This mirrors tactics seen in recent Rhysida ransomware attacks on media outlets. The incident demonstrates the high operational and reputational risk of targeting public emergency broadcasters.
CORTEX Protocol Intelligence Assessment
Business Impact: Disruption to emergency broadcasting endangers public communications and damages trust. Outages during crises could violate regulatory mandates for emergency messaging. Technical Context: The attack matches ransomware TTPs (T1486, T1490). Newsroom systems were encrypted, showing lateral spread across IT and broadcast control networks.
Strategic Intelligence Guidance
- Segment playout and broadcast systems from IT networks.
- Maintain offline backups of critical scheduling and playout data.
- Deploy EDR and network segmentation to limit ransomware spread.
- Run tabletop exercises simulating media ransomware disruption.
Vendors
Threats
Targets
Intelligence Source: RTV Noord Cyber Attack - Dutch Broadcaster Forced Off Air | Nov 11, 2025