Cyber Incident Victim: Count and Care
Date:
Jun 2022
Location:
Germany
Summary
A ransomware attack by suspected professional hackers targeted IT service provider Count and Care, a subsidiary of energy utility Entega, disrupting operations for multiple municipal companies in Darmstadt. The incident compromised internal and external communications, customer portals, and websites of affiliated entities including public transit operator Heag mobilo, real estate firm Bauverein AG, and waste management services, though critical infrastructure like energy distribution and public transport remained operational. Customer data reportedly remained unaffected, but service delays occurred for commercial waste management and online systems. Recovery efforts involved round-the-clock work by internal IT teams alongside forensic support from state and federal law enforcement agencies, including Hesse's Cyber Competence Center, to restore systems and investigate the attack's origin.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 12, 2022, a cyberattack targeted Entega, a Darmstadt-based energy provider, compromising approximately 2,000 employee email accounts and disrupting the company's websites. Entega's spokesperson Michael Ortmanns confirmed the attack occurred overnight, emphasizing that critical infrastructure—including electricity, gas, and water networks—remained operational due to segregated security measures. Initial assessments indicated no compromise of customer data. Authorities including the Hesse Interior Ministry's Cyber Competence Center (Hessen3C), state police, and federal criminal investigators were immediately engaged to implement countermeasures and conduct forensic analysis. By June 13, the attack's scope expanded significantly, revealing Count and Care—Entega's IT services subsidiary responsible for municipal companies' systems—as the primary target. This subsidiary managed IT infrastructure for multiple Darmstadt municipal entities, including public transit operator Heag mobilo, real estate firm Bauverein AG, waste management provider EAD, and Digitalstadt Darmstadt GmbH.
The ransomware attack disabled internal and external communication channels across affected organizations, forcing websites and customer portals offline. Heag mobilo's phone systems were partially restored by midday June 13, while waste management provider FES suspended its online bulk waste scheduling and customer portal access, reverting to manual processing via email and phone. Municipal services like garbage collection and public transit operated normally, though commercial waste services anticipated delays. Darmstadt Mayor Jochen Partsch confirmed no disruptions to critical infrastructure but acknowledged prolonged IT system recovery efforts, estimating several days before full service restoration. Count and Care's management team, alongside Hessen3C's mobile response unit, worked continuously to secure data, restore systems, and preserve forensic evidence. Investigators attributed the attack to professional actors employing targeted methods, though the intrusion's origin and potential data exfiltration remained under investigation. Service interruptions persisted through the week, with full recovery contingent on Count and Care's data center reactivation.