At the end of June 2025, the NATO Summit took place in the Netherlands. While the eyes of the world were fixed on dignitaries and conference halls, another battleground unfolded behind the scenes: that of digital security. Alongside physical threats,
international summits are increasingly becoming the target of cyberattacks.
In this tense environment, Sopra Steria played a vital role through the efforts of two specialised teams: a Dutch Security Operations Centre (SOC) and a French Cyber Threat Intelligence (CTI) team. Both worked hand in hand to monitor, analyse and neutralise
digital threats before and during the summit. In this article, Bert de Jong from Sopra Steria Netherlands and Ludovico Ninotti from Sopra Steria France reflect on the summit and their contribution.
A complex threat landscape
Events such as the NATO Summit are characterised by a highly complex threat environment. Not only must extensive physical security measures be taken, but increasingly these gatherings are also attractive
digital targets for cyberterrorists, hacktivists and state actors. Cyberattacks can paralyse critical infrastructure or damage the host nation’s reputation. Preparations therefore factored in a wide spectrum of digital and hybrid threats –
from DDoS attacks, ransomware and phishing to disinformation campaigns and espionage.
SOC team
In the Netherlands, the Security Operations Centre (SOC) team of Sopra Steria, led by Bert de Jong, was responsible for safeguarding the cybersecurity of clients involved in the NATO Summit. “Preparations started around
six months ahead of the summit,” he explains. “We contacted our clients to align expectations and clarify which information could or could not be shared. We also mapped out, at an early stage, which state actors or groups could pose a
threat, their likely capacities, resources and intentions, and what extra measures were required to protect our clients during the summit.”
Heightened state of alert
The SOC team operated under special rules during this period. Team members were not allowed to take leave during the week of the summit, ensuring the team ran at full capacity, with everyone physically present
at the Nieuwegein location.
De Jong himself worked from a specially designated war room where cybersecurity experts from the NCSC, the Dutch Police, Europol, the Municipality of The Hague and several cybersecurity companies joined forces to monitor and analyse threats in real time.
To protect client networks, the SOC team introduced additional measures. “Think of intensified monitoring in the SOC, conducting more frequent threat hunts, and hardening workstations by disabling tools like PowerShell and CMD. We also implemented
additional multifactor authentication instead of the usual single sign-on, and access restrictions were put in place for certain applications. It was, in effect, like raising the digital flood defences. Potential threats must be detected as early
as possible, so we ensured we had extra threat intelligence from our clients and the NCSC, which we could then translate into targeted search and remediation actions in their networks.”
Cyber Threat Intelligence team
Meanwhile in France, the CTI team represented by Ninotti – an expert in Russian cyber groups and threats – was focused on gathering and analysing potential threat intelligence linked to
the NATO Summit. Their work involved monitoring social media, forums, foreign media and the dark web.
Ninotti explains: “Our work is about contextualising cyber threats. Who is behind them? We don’t just look at technical indicators; we also examine geopolitical motives, actors, groups and their techniques. Ahead of the NATO Summit, we carried
out a cyber threat assessment that highlighted certain state actors and hacktivist groups likely to target the event. We then closely monitored their activity and shared valuable intelligence with the SOC team.”
Monitoring revealed, among other things, that three suspicious domain names had been registered in relation to the NATO Summit by Void Blizzard, a Russian-affiliated cyberespionage actor. These domains could have been used for malicious purposes, so they
were shared with the SOC team and the NCSC, after which they were blocked.
More than just another day at the office
Looking back, both specialists describe their involvement as far more than a routine workday. “It was truly special,” says Ninotti. “The geopolitical relevance, the media
attention – you could feel the urgency. Personally, I found it an honour to be involved. And the collaboration with the Dutch team made it genuinely worthwhile.”
De Jong agrees. “On the one hand it felt like business as usual, but at the same time you knew the whole world was watching over your shoulder. In that sense, it was extraordinary to have contributed, even indirectly, to something of this magnitude.
Our junior analysts also gained invaluable experience. They witnessed, from the inside, what large-scale cyber defence entails, which stakeholders are involved and what it takes to coordinate. That’s knowledge you cannot glean from textbooks.”
No major incidents
Although the NATO Summit went largely without incident, there were still some attempts at disruption. The pro-Russian hacker group NoName057 carried out multiple DDoS attacks on Dutch and Belgian websites, all
of which were successfully repelled. There was also a disruption of the Dutch railway network near Schiphol, possibly cyber-related, though no cause was ever confirmed.
For De Jong and Ninotti, the absence of major incidents is not a reason for complacency. “The modus operandi of state actors is usually one of patience,” De Jong warns. “They infiltrate systems and try to remain unnoticed for extended
periods before striking. When everyone is on high alert, as during the NATO Summit, they are less likely to act. But that doesn’t mean the threat disappears. Constant vigilance is essential.”
Cross-border collaboration
Both teams look back on the event with pride, particularly regarding their cooperation. “It was informal but highly effective,” says De Jong. “We maintained daily contact, exchanging information
in both directions to reinforce each other. What impressed me was that all parties set aside commercial interests for the duration of the summit and focused entirely on the greater good: the safety of the Netherlands and the NATO Summit.”
For both De Jong and Ninotti, the summit serves as a springboard for Sopra Steria’s broader ambition: more internal collaboration in cybersecurity. Ninotti concludes: “We already see this happening. A Cyber Threat Intelligence (CTI) working
group has been established at group level, where threat information is shared, streamlined and elevated to the right level, allowing us to learn from one another’s expertise. The NATO Summit reinforced a lesson many in cybersecurity already
know: effective defence is impossible without collaboration – across borders, companies and areas of expertise. Our strength lies in unity in diversity. Whether French, Dutch or Italian, if we work together, we make Europe safer.”