Cyber Incident Victim: State of Berlin

On September 19, 2023, the official capital city portal of Berlin, berlin.de, was subjected to a series of cyberattacks. The Presse- und Informationsamt des Landes Berlin (Press and Information Office of the State of Berlin) confirmed the incident in a press release published that same day. The attacks were identified as Distributed Denial of Service (DDoS) attacks targeting the infrastructure supporting the berlin.de website. A DDoS attack is characterized as an attempt to restrict access to an internet service by causing its overload through a flood of traffic originating from numerous, widely distributed senders across the internet. These are not singular events but rather extend over longer periods of time as determined by the attackers.

The first attack was detected on Tuesday, September 19, 2023. This initial offensive resulted in the Hauptstadtportal (capital city portal) becoming unreachable for several minutes. The period of disruption began at 10:30 in the morning and continued until approximately 11:20. During this initial window, the website was initially completely unavailable. Following this complete outage, the site's availability was only partial, meaning it was accessible in a limited or degraded capacity for users attempting to reach it. The technical teams responsible for the portal's infrastructure began implementing control measures in response to this first incident.

Subsequent to the first attack, a second DDoS attack was launched against the berlin.de infrastructure. This follow-up attack contributed to the ongoing disruption. The press release from the Berlin Senate Chancellery explicitly stated that despite the implementation of ongoing countermeasures, restrictions on accessing the website persisted at the time of the announcement. The control measures undertaken by the technical staff remained in place and active as they worked to mitigate the effects of the sustained attacks and restore full service. The primary impact of these events was the limited availability and functionality of the berlin.de web portal, preventing citizens and users from reliably accessing the information and services provided by the capital city's official online presence.

A critical finding from the initial investigation was that no data breach occurred as a result of these attacks. The authorities specifically stated that a data outflow, or exfiltration, was not detectable. This indicates that the objective of the threat actors appeared to be solely the disruption of service rather than the compromise or theft of sensitive information stored on the portal's backend systems. The nature of a pure DDoS attack aligns with this assessment, as its primary mechanism is to consume bandwidth and server resources to cause downtime, not to infiltrate a network to extract data. The incident was therefore categorized as an availability issue.

The response actions were focused on containment and mitigation. The technical teams employed ongoing control measures to counteract the flood of malicious traffic and stabilize the service. These measures are typical for defending against DDoS attacks and can include traffic filtering, rate limiting, and leveraging the capabilities of DDoS mitigation service providers to absorb and scrub the malicious traffic before it reaches the target infrastructure. The persistence of these measures highlights the prolonged and distributed nature of the attack campaign, as the attackers continued their efforts to disrupt the service over an extended period. The official communication provided a definition of a DDoS attack to inform the public about the nature of the incident, emphasizing that such attacks are determined by the attackers' timeline and not a one-time event. The contact information for the Press and Information Office was provided for further inquiries, serving as the official point of contact for the incident. The overall consequence was a temporary but significant interruption to a key public service platform, underscoring the vulnerability of critical municipal online infrastructure to this type of high-availability cyber threat.