Cyber Incident Victim: Smart InsurTech AG
Date:
Feb 2023
Location:
Germany
Summary
Smart InsurTech AG experienced a sophisticated ransomware attack compromising portions of its IT infrastructure, primarily affecting its Smart Cloud and Smart Consult platforms along with partial impacts to Smart Gevo services. The attack involved unauthorized encryption of systems and subsequent data exfiltration claims by threat actors, later corroborated through forensic analysis identifying exfiltration tools and specific data access patterns. Immediate containment measures included isolating affected systems, engaging external cybersecurity experts for forensic investigations, and restoring operations from secured multi-layered backups without data loss. While most core services were gradually reinstated with enhanced security validations, some customer accounts required granular recovery efforts. The incident response included regulatory notifications to data protection authorities, criminal complaints filed with law enforcement, and direct communication with impacted customers regarding compromised personal and operational data such as names, contact details, and client documents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of February 9-10, 2023, Smart InsurTech AG detected anomalous activity in its IT systems around 23:00 CET, triggering activation of its emergency response plan. Internal IT teams immediately isolated and powered down the affected Smart Cloud and Smart Consult platforms, along with partially disabling the Smart Box feature within the Smart Gevo product line. The company engaged two external cybersecurity forensic firms by February 10 to investigate what was later confirmed as a ransomware attack by an organized criminal group. Initial forensic analysis completed on February 11 identified the malware variant, though detection tools had failed to recognize it initially due to its novel cryptographic implementation. Attackers encrypted portions of the infrastructure and subsequently claimed data exfiltration on darknet channels, though no initial evidence supported these assertions.
By February 13, investigators confirmed the compromise included personal data of Smart Cloud and Smart Consult users - including names, professional email addresses, banking details, and uploaded client documents. Restoration efforts commenced on February 14 using multi-layered encrypted backup systems containing approximately 140TB of data, with priority given to validating backup integrity through security scanning. Core systems were reactivated in isolated environments by February 16, achieving 95% data restoration progress while maintaining coordination with Berlin State Criminal Police Office (LKA) investigators. The phased system recovery prioritized email functionality through temporary Webmail access on February 23, followed by full MailStore archival service restoration by March 10 and Citrix Application Hosting availability by March 3. Final forensic conclusions in June 2023 established limited data exfiltration through attacker-specific tools targeting selected system segments, prompting direct notifications to affected customers while confirming broader architectural areas remained uncompromised. Persistent operational disruptions included sustained phishing campaigns targeting clients during the outage period, mitigated through temporary blocking of OneNote file attachments in Exchange environments. No lasting data loss occurred due to offline backup preservation, though system reactivation required complete credential resets and architectural security hardening prior to full operational restoration by mid-2023.