Full Report
The ICC said the new incident was the second “of its type” it has faced in recent years, relating to an espionage attack in 2023
Analysis Summary
# Incident Report: Targeted Cybersecurity Incident at the International Criminal Court (ICC)
## Executive Summary
The International Criminal Court (ICC) experienced a "sophisticated and targeted" cybersecurity incident late in the week preceding June 30, 2025. The incident was successfully contained via the court's internal alert and response mechanisms. This event marks the second such significant security incident for the ICC in recent years, following a confirmed espionage attack in September 2023, necessitating immediate analysis and international support to ensure the continuation of judicial functions.
## Incident Details
- **Discovery Date:** Monday, June 30, 2025 (when disclosed).
- **Incident Date:** Late in the week prior to June 30, 2025.
- **Affected Organization:** International Criminal Court (ICC).
- **Sector:** International Justice/Governmental Organization.
- **Geography:** Netherlands-headquartered (Global Jurisdiction).
## Timeline of Events
### Initial Access
- **Date/Time:** Late in the week prior to June 30, 2025.
- **Vector:** Not explicitly stated, but described as "sophisticated and targeted." *Likely external threat actor.*
- **Details:** Attack targeted the ICC's IT systems.
### Lateral Movement
- Details not specified in the public disclosure.
### Data Exfiltration/Impact
- An initial Court-wide impact analysis is underway to determine the full scope.
- The primary immediate impact is the need to ensure the continuity of the Court’s work investigating and prosecuting suspected crimes against humanity.
### Detection & Response
- **Detection:** Occurred via the Court’s internal alert and response mechanisms.
- **Response Actions:** The incident was contained, and an impact analysis has commenced. The ICC is actively taking steps to mitigate effects.
## Attack Methodology
*Note: Specific technical details are sparse, as this is a high-level public disclosure.*
- **Initial Access:** Targeted/Sophisticated means utilized.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Implied by the "sophisticated" nature of the attack.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Unknown, pending impact analysis.
- **Exfiltration:** Unknown.
- **Impact:** Disruption to IT systems, requiring mitigation steps.
## Impact Assessment
- **Financial:** Not specified, but significant costs associated with forensic analysis and recovery are implied.
- **Data Breach:** Scope under investigation. Given the nature of the ICC, highly sensitive judicial and investigative data is presumed to be at risk.
- **Operational:** Business continuity is a primary concern, with the ICC actively working to "effectively continue its work investigating and prosecuting."
- **Reputational:** Potential erosion of trust depending on the scope of the compromise and data affected.
## Indicators of Compromise
*No specific forensic indicators were provided in the source text.*
- **Network indicators:** None specified (defanged).
- **File indicators:** None specified.
- **Behavioral indicators:** Sophisticated and targeted attack patterns.
## Response Actions
- **Containment measures:** Successfully implemented via the Court’s alert and response mechanisms, containing the incident.
- **Eradication steps:** Steps are being taken to mitigate the effects of the incident.
- **Recovery actions:** Impact analysis underway to inform full recovery procedures. The ICC has called for international support.
## Lessons Learned
- The ICC has demonstrated that its internal alert and response mechanisms are capable of achieving initial containment.
- The organization remains a target, having suffered a second major incident (following the 2023 espionage attack), indicating persistent, high-level threat adversaries focusing on this critical institution.
## Recommendations
- Conduct a thorough, independent forensic investigation to fully scope the 2025 incident and correlate it with the 2023 espionage attack.
- Review and enhance security posture against previously identified sophisticated threat actors, especially concerning targeted initial access vectors.
- Establish robust international collaboration channels for rapid technical assistance following high-profile state-sponsored or sophisticated cyber incidents.