Ransom demand
Hacker group paralyzes more than 70 municipalities in North Rhine-Westphalia – experts warn
A numerical code runs across a screen in the Bavarian Cybercrime Central Office (ZCB). In North Rhine-Westphalia, hackers have paralyzed services in more than 70 municipalities
© Nicolas Armer/dpa
A number of municipalities in North Rhine-Westphalia have been put out of action by a hacker attack. One can only speculate about the perpetrators. What is certain, however, is that they have caused great damage.
The new car cannot be registered and the driver’s license cannot be picked up. The birth certificate is a long time coming, as is the new identity card. The residence permit is only available as a provisional document. Services of more than 70 have been available for days Municipalities in North Rhine-Westphalia paralyzed in one fell swoop. Citizens’ offices were completely closed.
A targeted hacker attack has thrown the administrations seriously out of sync, and laborious emergency solutions are being put in place. It was not the first hacker attack on public infrastructure in Germany, but one of the most far-reaching. And experts warn of a further increase in cyberattacks.
The Federal Office for Information Security (BSI) reports that on average two municipalities or municipal companies are affected by such hacker attacks every month. Within twelve months, by the middle of this year, municipalities with almost six million inhabitants were affected nationwide.
After hacker attacks: no quick return to normality
In the case of the current hacker attack on the service provider Südwestfalen-IT on October 30th, there was nothing left but to switch off all systems immediately, the attacked company said. The crisis team has been meeting since then. A special unit of cybercrime investigators is hunting the perpetrators, while IT forensic experts are searching for the loophole through which the hackers were able to gain entry.
A quick return to normality is unlikely, but there is hope that some public services will soon be available again, at least on a temporary basis.
A hacker group called “Akira” demands a ransom before they want to release the municipal systems again, according to a report to the North Rhine-Westphalia state parliament. But the municipalities definitely don’t want to pay. Cities, municipalities and districts are mainly affected in South Westphalia, sometimes also in the Ruhr area, in the Rheinisch-Bergischen district and elsewhere – with differences in type and extent.
Cologne public prosecutor Christoph Hebbecker from the central cybercrime unit ZAC NRW reports that hardly a day goes by without his unit having to investigate a so-called ransomware attack like this one in North Rhine-Westphalia. However, in view of the serious consequences, the current case is an “outstanding procedure”.
According to the public prosecutor, attacks are being made “across the board”: universities, educational institutions, law firms, hospitals and companies in all sectors. The scam is always the same: The criminals look for security gaps, infiltrate the system and often implant themselves with their malware weeks or months before the actual attack. It is still unclear whether in the current case data was only encrypted or also stolen.
The BSI has noted that criminal hackers have been increasingly choosing the path of least resistance for some time and selecting victims who appear to them to be easily vulnerable. “The focus was no longer on maximizing the potential ransom money, but on the rational cost-benefit calculation,” says the latest management report.
Cyber attacks cause great damage to the economy and society
Cyber attacks have become one of the biggest threats to the German economy and society, warns the digital association Bitkom. In the past twelve months, German companies alone incurred 206 billion euros in damage through espionage, sabotage and data theft, of which 148 billion euros were caused by cyber attacks, says security expert Simran Mann. “And the risk of cyber attacks is growing.”
The IT infrastructure needs to be updated regularly, security gaps need to be closed quickly, and backups and emergency recovery plans need to be in place. According to Bitkom, employee training is also very important in order to detect attacks early and then be able to behave correctly.
Last March, cybercrime investigators at ZAC NRW managed to unmask the hacker group “Double-Spider,” also known as “Doppel Spider” or “Grief.” The suspects, who are wanted around the world, are blamed, among other things, for the attack on the Düsseldorf University Hospital, the Funke media group and the Anhalt-Bitterfeld district, which therefore declared a disaster.
One of the suspects, the Russian Igor T., is said to have taken part in a hacker competition run by the mercenary group Wagner at the end of 2022. “We also see that individuals in this group of perpetrators have references and connections to the Russian domestic secret service FSB and the paramilitary mercenary group Wagner,” NRW Interior Minister Herbert Reul (CDU) said at the time.
However, not much is known about the new hacker group “Akira”. “We have no contact with the group of perpetrators and are not negotiating ransom money,” says public prosecutor Hebbecker. With such attacks it is extremely difficult to identify the attackers behind them. An arrest is even rarer.