Cyber Incident Victim: Gemeinde Grasellenbach
Date:
Oct 2023
Location:
Germany
Summary
The Grasellenbach municipal administration experienced a cyberattack compromising the mayor’s and his secretary’s email accounts via Outlook, enabling attackers to send malicious emails containing harmful PDF attachments or links to external recipients. The breach was detected when third parties reported suspicious communications, prompting immediate shutdown of all systems, password resets for all accounts, and notifications to potentially affected entities. While operational continuity was largely maintained with only two PCs directly impacted, the incident likely exposed personal data including names, addresses, contact details, and email correspondence. The municipality’s IT provider and relevant cybersecurity authorities are investigating the attack, though the compromised accounts suffered significant data loss affecting daily operations for the targeted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 1, 2023, the municipal administration of Grasellenbach in Hesse, Germany, experienced a cyberattack targeting its email infrastructure. The breach was discovered on Tuesday, October 3, when external authorities alerted the administration to suspicious emails originating from compromised accounts belonging to Mayor Markus Röth and his secretary. The attackers had infiltrated the municipality’s Outlook system, gaining unauthorized access to these two email accounts. Through these accounts, they distributed emails containing malicious PDF attachments or links to external recipients. Upon detection, the administration immediately powered down all computers in the town hall as a precautionary measure and notified its IT service provider, e-com, as well as cybersecurity authorities and the Hessian Data Protection Commissioner. E-com’s investigation confirmed the attackers exploited the compromised accounts to send fraudulent messages but found no evidence of broader system infiltration beyond the two affected PCs. The service provider reset all email passwords across the administration to prevent further unauthorized access, and by the end of the day, the municipality issued warnings to partners and potential victims advising against opening suspicious attachments or links.
The attack disrupted operations primarily for the mayor and his secretary, who lost access to their email histories, significantly impairing their workflow. While other municipal functions continued normally, the incident required substantial personnel resources to manage the initial response and communications. Mayor Röth acknowledged the inevitability of such an attack, noting the administration had recently conducted a state election without technical issues prior to the breach. A formal letter from the administration warned that stolen data might include personal information such as names, addresses, email correspondence, contact details, and calendar entries, though the full extent remained unconfirmed. The municipality emphasized it never sends emails containing links as standard practice, urging recipients to verify sender addresses and report any suspicious activity. E-com collaborated with authorities to investigate the attack’s origin and methods, while the administration focused on damage containment and tracing potential data exfiltration. No ransomware or financial motives were cited, and services unrelated to the compromised email accounts faced no direct operational interruptions.